Hong Kong's Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed (1,792 complaints in 2013) and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.
The step change in enforcement activity should most obviously be a cause for concern for businesses that rely on personal data for marketing their products and services. Thirty percent of last year's complaints related to direct marketing (a significant increase). But a close examination of the figures shows that business concerns should be much broader than this. For example, there was a substantial increase in the number of data security breaches reported to the Commissioner (61 in 2013 against 50 in 2012), showing that the growth in investigations and enforcement activity doesn't just relate to electronic marketing. As businesses become more and more dependent on their data holdings as a means of finding competitive advantage, and "Big Data" becomes an increasingly valuable business asset, data privacy compliance becomes a business-wide issue that requires board level attention.
The Commissioner's latest policy initiative underscores this point. Last month, the Commissioner published guidance calling for businesses to adopt comprehensive Privacy Management Programmes directed at achieving compliance in all aspects of their business. This "best practice" standard of compliance needs to be looked at carefully, as it will likely be looked at in adjudicating future rounds of enforcement action. Every organisation that handles personal data needs to ensure compliance with the Ordinance. If the Commissioner's office receives a complaint, the Commissioner has the power to order an investigation and, where there has been a breach, issue an enforcement notice. There are now substantial penalties under the Personal Data (Privacy) Ordinance ("PDPO") for the most serious breaches with fines up to HK$1,000,000 and 5 years' imprisonment. Quite apart from the criminal sanctions, there are reputational risks for an organisation that is subject to an investigation with the Commissioner increasingly prepared to "name and shame" organisations and publicise the results of his investigations.
Comprehensive regulation requires a well-considered, comprehensive response.