Hong Kong’s Stale Data Protection Laws
The Personal Data (Privacy) Ordinance
Hong Kong’s data protection laws are out of date and no longer fit for purpose in a post-GDPR climate. The Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) was passed back in 1995 and came into force in 1996, before the existence of Google, Facebook, or many of the data-driven technology giants. At that time the internet was still in its relative infancy, and still being referred to as the “information superhighway”.
The PDPO was based on the 1980 OECD Privacy Guidelines. As such, it introduced into Hong Kong data protection principles we take for granted today, such as the requirement to obtain consent from data subjects, a requirement to keep personal data secure, the right to have data amended and so on. It established the office of the Privacy Commissioner in Hong Kong, granting the Commissioner the power to issue Enforcement Notices to anyone in breach of the Ordinance and imposing fines and custodial sentences both for breach of the law and for failure to comply with an Enforcement Notice.
Amendments To The Law
There has only been one update to the PDPO. In 2010 Octopus Holdings Limited ("Octopus"), which provides electronic payment services used on Hong Kong’s travel systems and in many stores, hit the press when a whistleblower alleged that the company was selling personal data to third parties in order for them to directly market their products to the individuals affected. Octopus initially denied that it had sold any of its customers’ personal data, then two weeks later admitted that it had made HK$44 million over the previous four and half years selling such data to insurance companies for use in marketing.
Despite public concern over this revelation, Octopus received no fine and no penalty for its actions. It essentially promised “not to do it again” and the company’s chief executive left the company. But the Octopus incident did lead to an update to the PDPO. This imposed fines and custodial sentences for essentially using or selling a data subject’s personal data for use in direct marketing without the data subject’s consent.
Such fines were the highest yet seen in Hong Kong. They have not been updated since and even in 2012 were, in this author’s view, far too low to act as an effective deterrent or penalty. At the time of writing, the maximum fines under the PDPO range from HK$10,000 for the majority of offences, to HK$500,000 all the way up to HK$1,000,000 for using data for direct marketing without consent. In Euros, that’s a maximum fine of around €1,000 for most offences, going up to approximately €55,000 to €108,000 for the most serious offences. Contrast that with fines under the GDPR.
If Octopus, back in 2010, can make HK$44,000,000 selling personal data then a maximum fine of HK$1,000,000 might effectively seem to be worth the risk. Whilst the law can impose custodial sentences of up to five years also, in practice these are very rare; the first custodial sentence under the PDPO was not handed down until 2015, when an insurance agent who gave a false statement to the Privacy Commissioner was imprisoned for just four weeks.
This means that many data controllers in Hong Kong do not take compliance with the PDPO seriously. For many such entities, the first time that data protection law was properly considered was when the GDPR came into force and overseas legislation is more of a deterrent to poor data management practices than the law in Hong Kong.
For example, in 2018 Hong Kong’s flag carrier airline, Cathay Pacific, reported that a data breach taking place between October 2014 and May 2018 had exposed the personal data of over 9 million of its customers. 111,578 of these customers were UK residents, leading to the Information Commissioner’s Office in the UK levying a fine to Cathay Pacific of £500,000. Had a fine been levied under the GDPR, which was not possible, one can expect it would have been many magnitudes higher.
Meanwhile in Hong Kong, where the majority of those impacted by the data breach were residents, the Privacy Commissioner issued an Enforcement Notice to Cathay Pacific requiring the airline to take a series of remedial steps. No fine was issued.
Cybersecurity and Breach Notifications (or lack thereof)
It is not just in the area of penalties where Hong Kong’s data protection law is deficient. Cyberattacks and data breaches have risen in number and severity year on year. Hong Kong has not been immune to this trend. One of the key trends in data protection laws and regulations has been a requirement to report data breaches to the relevant authority, to make that report within a required period of becoming aware of the breach (within 72 hours for the GDPR) and to report the breach to affected parties.
In Hong Kong there is no requirement to notify the Privacy Commissioner of a data breach. Taken together with the fact that if the Privacy Commissioner becomes aware of a breach the penalties in respect of that breach are limited, this has led many organisations simply declining to inform both the Privacy Commissioner and impacted parties when a breach takes place, rather than incurring the cost, potential reputational damage and protracted exchange of correspondence with the Privacy Commissioner as a breach is investigated.
Instead, rules relating to data breaches instead tend to be set by industry regulators such as the Hong Kong Monetary Authority. This piecemeal approach to data breaches in Hong Kong is harmful to the city’s reputation as a business hub and does little to assuage concerns that the general public may have in relation to their personal data. Or indeed to where that personal data may be transferred to: whilst s.33 of the PDPO prohibits the transfer of personal data outside of Hong Kong unless conditions are met, s.33 has never been brought into force and likely never will be.
The Office of the Privacy Commissioner periodically advocates for changes to the PDPO. These have focused on mandatory data breach notification, regulation of data processors, allowing the Office of the Privacy Commissioner to directly impose fines, and following the 2019 protests in Hong Kong the creation of a new offence and corresponding penalties for doxxing (publishing the personal data of an individual online without consent, a practice which became common during the protests). Of these, given the political climate in Hong Kong one can expect that amending the law to impose heavier penalties for doxxing is most likely, but moves towards modernizing the PDPO seem to have stalled since the beginning of 2020.
This is a shame. The GDPR and the data protection regimes of other (some would say competing) Asian jurisdictions, such as Singapore, provide a framework and a roadmap which could be easily adapted, adopted and followed by Hong Kong. International businesses in the jurisdiction already ensure they are GDPR compliant and so updating the PDPO in line with what is considered the gold standard in data protection legislation should not come as a compliance shock for these. For smaller businesses, and crucially for individuals, revitalizing a law which is well past its sell by date would not only increase confidence in Hong Kong’s data protection regime and respect of its Privacy Commissioner, but it would also provide some much-needed reassurance that an individual’s rights in respect of their personal data are properly protected.
Article provided by: Paul Haswell (Pinsent Masons, Hong Kong)
Dr. Tobias Höllwarth (Managing Director INPLP)