On 7 July 2011, the Office of the Privacy Commissioner for Personal Data issued a consultation paper on the implementation of a data user return scheme in Hong Kong. Data users of specified classes will be required to submit data user returns annually.
The Personal Data (Privacy) Ordinance ("PDPO"), which was enacted in 1996, provides under Part IV that the Privacy Commissioner for Personal Data (the "Privacy Commissioner") may specify a class of data users and require them to submit to the Privacy Commissioner data user returns containing information on the kinds of personal data they control and the purposes for which the personal data are collected, held, processed or used, etc. The relevant provisions however have never been evoked until now. The Privacy Commissioner intends to finalise the operation and implementation framework of such a scheme ("Scheme") before the end of 2011.
Classes of data users that would be caught by the Scheme
The Scheme will be rolled out in phases. It will initially cover (1) the public sector; (2) three large and regulated industries, namely banking (all authorised institutions regulated by Hong Kong Monetary Authority), telecoms (telecoms service providers that hold unified carrier licences and provide fixed internal services and/or mobile services regulated by the Office of the Telecommunications Authority) and insurance (insurers only, excluding insurance agents and insurance brokers); and (3) organisations with a large database of members, e.g. customer loyalty schemes (collectively "Data Users"). The Privacy Commissioner is considering a definition for "organisations with a large database of members" so that whether a data user belongs to the class can be decided with certainty.
When will the Scheme take effect?
It is expected that the Scheme may commence in the fourth quarter of 2012. Following this timetable, Data Users will need to submit data user returns around the second half of 2013, i.e. not earlier than 3 months before, and not later than, each anniversary of the commencement of the notice concerning the Scheme.
What will Data Users need to do?
Data Users will be required to submit data user returns on an annual basis, and any changes in the prescribed information contained in the return shall be notified to the Privacy Commissioner not later than 30 days after the change.
The prescribed information to be submitted by Data Users is specified in Schedule 3 of the PDPO. Data Users may also opt to provide optional information which, upon the request of the Data Users, may be accessible by the Privacy Commissioner only but not to the general public.
A prescribed fee at HK$5,700 per annum will be charged by the Privacy Commissioner. No charge will be imposed for any changes or updates between the annual submissions. Slightly higher charges will be imposed for late filings.
The information submitted to the Privacy Commissioner will be available for public inspection via an electronic register accessible online and in the Office of the Privacy Commissioner.
It is an offence for any Data User to knowingly supply information that is false or misleading. The offender may be liable to a fine at level 3 (currently at HK$10,000) and imprisonment of up to six months.
Implication of the Scheme
Most EU countries have already adopted similar schemes. According to the survey of the Privacy Commissioner, most data users and data subjects in these EU countries considered the scheme useful. The Scheme, being an annual filing and reporting scheme and does not entail the obtaining of any prior approval or clearance process, should be regarded as a moderate step taken by the Privacy Commissioner in enhancing the level of protection for the privacy of personal data in Hong Kong. The Scheme may create administrative burden on Data Users but such burden should be regarded as minimal. The Scheme should be no stranger to Hong Kong companies that have overseas operations that are already subject to the EU data protection regulatory regime.
With a number of high-profile incidents which took place recently in Hong Kong in which personal data was thought to be used contrary to data protection principles under the PDPO, it is interesting to see the reaction of the Privacy Commissioner and the Hong Kong Government by bringing into force the Scheme in addition to the introduction of an amendment bill to the PDPO in July 2011 which if passed in its current form will see a significant overhaul of this 15 years old legislation.