Are we seeing a return of proactive enforcement of Hong Kong’s data protection laws, after a lull in recent years?
On 14 November 2022, the Office of the Privacy Commissioner for Personal Data (“PCPD”) published two investigation reports for non-compliance of the Personal Data (Privacy) Ordinance (“PDPO”):
- EC Healthcare’s failure to obtain consent for the use, disclosure, and transfer of patient’s personal data across its group entities; and
- Fotomax’s failure to take adequate security measures against a ransomware attack.
Following that, the PCPD served enforcement notices on both EC Healthcare and Fotomax, requiring them to take remedial steps and prevent the recurrence of contravening the PDPO.
Moving on – compliance priorities
The two investigation reports addressed both public facing aspects and internal operations of the businesses’ data protection compliance.
Notice and Consent
Businesses should focus on the external aspects of compliance, such as (i) providing adequate notice which details the use and purpose of data collection, and (ii) obtaining consent prior to the use, disclosure, and transfer of personal data – and obtaining fresh consent where new data processing purposes arise.
In particular, businesses operating multiple brands should take extra care when sharing personal data across its group entities.
Internal Security Measures
With a rise in cyberattacks, businesses should actively monitor and improve their internal security measures through:
- conducting regular risk assessments to understand the IT vulnerabilities and potential risk of data incidents;
- maintaining adequate technical and organisational security measures (e.g., de-identification and/or encryption of personal data, data access rights for staff on a need-to-know basis etc.) to mitigate the potential impact of data incidents;
- implementing a data privacy management programme which sets out key data protection governance responsibilities (e.g. appointment of Data Protection Officer(s)); and
- keeping records of internal communications and procedures to demonstrate compliance with the PDPO.
The publication of these investigation reports comes as a surprise within the Hong Kong data privacy landscape. Given the PCPD has in recent years taken a more ‘behind the scenes’ approach towards enforcement, this may indicate a more proactive phase for enforcement. Further, this may be a push by the Privacy Commissioner to encourage Hong Kong lawmakers to finally pass the remaining provisions of the PDPO Amendment Bill (i.e., mandatory breach notification and higher fines).
As such, businesses should bear in mind the multi-faceted compliance priorities (i.e. both external and inward facing obligations), as well as the reputational risks of non-compliance, given the publicity generated in investigation reports.