In light of high profile data security leaks and data privacy developments internationally, the Hong Kong Privacy Commissioner has recently given an interesting insight into the key lessons of 2015, trending issues and the strategic focus of the Office of the Privacy Commissioner for Personal Data ("PCPD") for 2016. Organisations operating in Hong Kong are advised to take note of these developments and their potential impact on data privacy practices.
Complaints and Enforcement Action
2015 saw a record high number of privacy complaints to the PCPD by the public, signifying the increasing privacy awareness of the public. Among private sector organisations, the financial sector received the most complaints, followed by the property management and telecommunications sectors. Organisations in these sectors are, therefore, likely to be under the PCPD's gaze in 2016.
The high number of warnings, enforcement notices and cases that were referred to the Hong Kong police by the PCPD in 2015 also shows the increasing willingness of the PCPD to enforce the Personal Data (Privacy) Ordinance (“PDPO”).
In particular, four successful convictions were brought in 2015 for contraventions of the direct marketing provisions of the PDPO. These were the first prosecutions and fines under the direct marketing rules, which came into force on 1 April 2013. (For more details on the first conviction, which involved a telecommunications service provider failing to comply with a customer's opt out request, please refer to our article here.)
The four convictions involved cases which were relatively obvious breaches of the direct marketing provisions. It will be interesting to see how the courts determine further cases in 2016 and whether they clarify some of the areas of uncertainty in direct marketing practices.
Major data breaches
2015 saw a number of major data breaches in Hong Kong, which resulted in international media coverage, affected millions of individuals (including children) in multiple jurisdictions, and are subject to investigations by the PCPD, including:-
- Personal data of up to 3.3 million members of SanrioTown website were publicly accessible due to security vulnerabilities; and
- The disclosure of the data of 5 million parents and over 6.6 million related children’s profiles worldwide from Vtech's website.
Therefore, any organisations operating e-commerce or other online platforms and associated customer or member databases are advised to review their security measures. Data security is likely to be a top priority of the PCPD in 2016.
Prohibition on cross-border transfer of personal data
Section 33 of the PDPO regulating the cross-border transfer of personal data has not been implemented to date. While it is reported that proposals to implement section 33 are under consideration by the Hong Kong Legislative Council, the Privacy Commissioner has commented that the Government is trying to ensure that the need for ensuring personal data transferred overseas will be afforded comparable protection is balanced against the adverse impact of section 33 on businesses and economic development, and further details of the proposals are awaited. However, interestingly, the Privacy Commissioner stated that developments in Europe regarding the US Safe Harbour framework will need to be taken into consideration when implementing section 33. Therefore, we wait to see if this has any impact on the substance or timing of the current proposals.
The right to be forgotten
Following a ruling by the European Court of Justice in the Google Spain case the so-called "right to be forgotten" has allowed individuals in the EU a right to deletion of personal data regarding themselves in the public domain. While the recent Webb case in Hong Kong considered some of the issues around a "right to be forgotten", it did not introduce such an express right into Hong Kong law. Nonetheless, the Privacy Commissioner has recently indicated that the PCPD will keep an open mind regarding recognising the “right to be forgotten” in Hong Kong. If this is introduced, it will have an impact on online operations as well as individuals in Hong Kong.
Other Areas of Focus for 2016
The PCPD has indicated it will focus on other areas, including:
- the possible impact of the new General Data Protection Regulation introduced by the European Commission on the PDPO and current best international data privacy practices. The new EU framework will introduce a significant change to data privacy practices in the EU, especially in relation to digital data;
- promoting the Privacy Management Programme, including greater boardroom involvement. The Privacy Management Programme also encourages organisations to designate a responsible person to oversee the organisation’s compliance with the PDPO, which is not a mandatory requirement but is similar to the role of a data protection officer in other jurisdictions;
- considering privacy issues relating to Big Data and the Internet of Things, as the related collection and exchange of data become more of a real privacy concern for individuals; and
- supporting the commencement of operation of the Electronic Health Record Sharing System.
In 2015, we saw a number of (non-binding) best practice guidance notes issued by the PCPD promoting higher standards of data privacy practice than prescribed in the PDPO, and these indications suggest this trend may continue in 2016. Organisations are, therefore, advised to pay close attention to further guidance issued by the PCPD in 2016.