On 26 January, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published his annual report on 2015 complaints and enforcement activity under the Personal Data (Privacy) Ordinance (the "PDPO").
The report reveals that 871,000 Hong Kong individuals were affected by data breaches in 2015, compared with 47,000 in 2014. The 98 incidents reported to the Commissioner last year (an increase from 70 the previous year) all involved the loss of data, hacking of data or the inadvertent disclosure of personal data by organisations. It is noteworthy that the number of reported breaches continues to increase at a rapid pace notwithstanding the fact that Hong Kong's data breach notification regime is at the moment a voluntary one.
The report is also notable for setting out the Commissioner's statement of priorities for 2016. Of particular significance is the suggestion that the PDPO - which came into force 20 years ago - may now need to be updated to keep pace with Hong Kong's role as an international business centre and with regulatory developments across the world.
Record Number of Public Complaints: The Commissioner's report of a year ago showed a significant uptick in the number of complaints in 2014, suggesting that this was the "new normal" for privacy awareness. That trend has continued in 2015 with public complaints to the Commissioner's office rising by almost 20% to 1,971. Of those complaints, 74% were made against the private sector, with the financial sector receiving the most complaints. 40% of all complaints related to the use of personal data without consent and 37% to the purpose and manner of data collection.
Aggressive Enforcement of the PDPO: While the overall number of warnings and enforcement notices issued by the Commissioner dropped last year (17 warnings and 67 enforcement notices in 2015 compared with 20 warnings and 90 notices in 2014) referrals to the Police were up from 20 in 2014 to 30 last year. There were 6 prosecutions and 4 convictions in 2015, compared with just one in 2014. With public awareness of data privacy issues clearly on the rise, we expect to see investigations and enforcement of the PDPO to continue at pace going forward.
Internet and Telecommunications Infractions: The Commissioner highlighted in his 2014 report that much more of his investigatory work related to the internet and telecommunications services, with complaints more than doubling from 93 in 2013 to 206 in 2014. That trend has continued in 2015 with a further steep increase in the number of complaints to 241. Common privacy disputes arose from the use of mobile apps and social networking websites (161 cases), the disclosure or leakage of personal data via the Internet (85 cases) and cyber-bullying (22 cases). The number of general Internet enquiries concerning cyber- profiling, mobile apps and cyber-bullying also increased to 726 cases in 2015.
Strategic focus for 2016:
The Commissioner has confirmed that in 2016, amongst other things, there will be a special focus on a number of areas, including the following:
Comparative Research and Analyses: The Hong Kong privacy landscape has been evolving rapidly in recent years. The PDPO has now been in force for 20 years and the Commissioner is keen to ensure that the approach taken in Hong Kong keeps pace with the global developments in the protection of personal data. In particular, the Commissioner cites the recent data protection reform in Europe that was agreed in December 2015 in his report and confirms his intention to closely monitor the progress of the new General Data Protection Regulation as it comes into effect.
Big Data and the Internet of Things: The Commissioner has also announced that he will conduct research into the use of big data in Hong Kong in response to the challenges generated by the increased use of information and communications technology, including the increasingly sophisticated networking of devices as part of the Internet of Things.
Privacy Management Programme: Building on one of the key aims from last year, the Commissioner has pledged to continue to press for greater awareness and uptake of the Privacy Management Programme accountability model, which encourages businesses to take a "top down" and holistic approach to organisational data protection compliance.
What does the commissioner's report mean for businesses?
2015 saw a significant rise in data security and data privacy breaches and enforcement actions in Hong Kong and across the region. The increase in the number of data breaches in Hong Kong revealed by the 2015 report is striking. These developments have meant immediate consequences in the form of regulatory action, sanctions and adverse publicity for those investigated or found to be on the wrong side of the law, but the Commissioner also points to the need for updates to policies and guidelines to ensure that Hong Kong keeps pace with the changing privacy landscape.
It is also clear from the report that as privacy complaints continue to rise in Hong Kong, enforcement of the PDPO has turned to the sharper end of the Commissioner's available remedies. Quite apart from the criminal sanctions of committing a breach, there are reputational risks for an organisation that is subject to an investigation. With growing public awareness of personal data and related cyber security issues, the impact of a data privacy conviction on business reputation should not be underestimated. The Commissioner has the right to publish the results of any investigation, name the organisation involved and give details of the breaches committed.
The Commissioner has also restated his advocacy of the Privacy Management Programme. A comprehensive review of data processing practices and procedures always has been best practice, but with an increased risk of privacy complaints and a more aggressive enforcement environment in Hong Kong, the need for compliance by businesses is now far more apparent.
Key points for business that flow from the 2015 report are:
- Are your privacy consents and policies up to date, reflecting any changes in the data that you capture, the technology that you use and the purposes for which it is processed?
- Is the data you hold and process secure? Have you adopted technical standards applicable to different types of internal and external data processing, data access and permissioning? Do you use robust encryption technologies when transferring data between group companies and to third parties?
- Do you need to review your complaints handling and data breach management policies? Are policies in place for escalating, containing and remediating data breaches and evaluating the need for regulatory or data subject notifications?
- As your business moves towards greater use of mobile and cloud technology, social media and data analytics, do you have the right procedures in place to assess potential privacy impacts and keep your practices and procedures up to date?