At a global panel session on 28 March 2019, the Hong Kong Privacy Commissioner expressed concern that Hong Kong runs the risk of being left behind as “a risky jurisdiction for hosting data”. This could soon change. The Hong Kong’s Constitutional and Mainland Affairs Bureau presented to the Legislative Council on 20 January 2020 a paper proposing changes to Hong Kong’s data privacy law (Paper). If the proposed amendments are implemented, Hong Kong’s privacy law (and its Privacy Commissioner) will have the tools necessary to bring data protection standards in line with international standards, and in particular GDPR. The proposals in the Paper would also represent a step change in enforcement powers.

1. Introduction of a mandatory breach notification

The Paper proposes the introduction of a mandatory notification obligation, requiring data users to notify both the Office of the Privacy Commissioner for Personal Data (PCPD) and the relevant data subject within a specified timeframe in the event of a data breach. The Paper does not commit to a timeframe but by way of example suggests a breach having a “real risk of significant harm” should be notified to the PCDP within five business days.

Compare this to the GDPR, which provides for notification within 72 hours where the breach is likely to put at risk the rights and freedoms of individuals.

It is worth noting that the Paper proposes the same definition of personal data breach as that contained in the GDPR, which includes a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This is broader than the current position, where enforcement against failure to prevent unauthorised or accidental access of personal data arises only upon breach of Data Protection Principle 4 under the Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO).

2. Certainty around data retention periods

The Paper suggests data users should maintain a clear retention policy specifying: (i) a maximum retention period for different categories of personal data; (ii) legal requirements which may affect the retention period (e.g. taxation, employment or medical requirements); and (iii) how the retention period will be counted. Currently the PDPO is unspecific in this regard and requires data users to take all practicable steps to ensure that personal data is not kept “longer than is necessary”.

3. Enhanced powers to sanction

Of perhaps most significance, the proposals in the Paper (if adopted) would represent a step change in enforcement powers. They would confer powers on the PCPD to directly impose administrative fines for contravention of the PDPO instead of having to first issue an enforcement notice. This would be consistent with data protection regimes in Singapore, the United Kingdom and the EU.

In addition, the Paper contains proposals to increase the level of fines that may be imposed for criminal liability, and links the level of fines to the annual turnover of the data user. The approach under consideration differs from that under the GDPR, which imposes a maximum administrative fine of €20 million or 4% of the company’s global annual turnover in the preceding year, whichever is higher. Instead, the Paper suggests data users be classified with different scales according to turnover and that those scales be matched to different levels of administrative fines.

4. Regulation of data processors

Currently, the PDPO does not regulate data processors (a person who processes personal data on behalf of another) but places the obligation to protect personal data solely on data users. The proposals would expand the PDPO’s regulatory reach to cover data processors, as is the case with the GDPR, and in Australia and Singapore.

5. Amendments to the definition of personal data

In light of the increasing use of tracking and data analytics technology, the Paper proposes expanding the definition of “personal data” to cover information relating to an “identifiable” natural person, in line with the definitions adopted by the data protection regimes in the EU, Australia and Canada. Expanding the definition in this manner would serve to extend the levels of data protection and attempt to future-proof the regime as far as possible in light of technological advances with regard to data uses and processing.

6. Regulation of disclosure of personal data – “doxxing” – a vice to be constrained

Meanwhile, the Hong Kong government has expressed increasing concern over the number of “doxxing” incidents in 2019, in which personal data was published online without the data subject’s consent. Such is the occurrence of such conduct that the PCPD has handled over 4,700 doxxing complaints since June 2019, referred over 1,400 cases to the Hong Kong police, and the Department of Justice was led to obtain an injunction against doxxing directed at protecting police officers and their families. Against this background, the Hong Kong government is considering how to amend the PDPO to introduce legislation to specifically address doxxing, confer statutory powers on the PCPD to request the removal of doxxing content from social media platforms or websites, and confer powers to carry out criminal investigation and prosecution.

The end of the paper dragon?

The PDPO currently fails to provide the necessary statutory powers and framework to create a robust and internationally aligned data protection regime. The Paper is therefore a welcome development. Looking forward, the Hong Kong government will conduct further studies with the PCPD and consult relevant stakeholders in order to formulate concrete legislative amendment proposals. There is no clear timeframe as to when concrete amendments will be tabled for the Legislative Council’s debate and approval. However, if the changes proposed are enacted, Hong Kong’s data privacy regime will be far more aligned with data protection regimes elsewhere, but also far less benign than in its present form.