The Privacy Commissioner for Personal Data (“PCPD”) and others have long expressed concern that the PCPD’s lack of substantive powers has left him a “toothless tiger”. A seeming increase in intensity of data breaches and malicious “doxxing” incidents over the past 18 months have highlighted that Hong Kong*’s data protection powers are far from sufficient. This is in stark contrast to other jurisdictions (notably the European Union (“EU”) and Singapore) whose sanctioning powers act as a far stronger deterrent for breaches.
It is therefore of significant interest that the Legislative Council (“LegCo”) Panel on Constitutional Affairs on 20 January 2020 considered the Privacy Commissioner’s proposed amendments to the PDPO, including amendments which would strengthen the sanctioning powers of the PCPD (“Paper”). We have set out below the six proposed areas for change, attempted to provide some colour around the issues and reported some of the discussions which took place at the LegCo meeting.
Mandatory Data Breach Notification Mechanism
Hong Kong remains one of a reducing number of jurisdictions not to impose a duty on data users to notify the PCPD (or affected data subjects themselves) in the event of a data breach. The practical upshot of this legal gap is that disclosure practices vary, which can negatively impact outcomes for customers. For example, some data users will adopt a “wait and see” approach, hoping that the breach will go unnoticed. Others may fear that a notification of any sort will lead to more severe or unjust enforcement, so justify inaction on that basis. Some are forced to disclose by regulators under separate breach disclosure regimes, although have significant latitude to decide when that is necessary.
The suggestions are that:
- data breaches having “a real risk of significant harm” should be required to be mandatorily reported by the data user to the PCPD and affected individuals;
- the timeframe for notification is “as soon as practicable and, under all circumstances, in not more than five business days”; and
- there should be a prescribed manner of notification.
If implemented, these legal updates would provide greater certainty and protection. At the same time, data users will still need good policies, contracts, resources and advice to handle breach scenarios. In this regard, one of the (many) difficulties of responding to a multi-jurisdictional data breach (and most data breaches of any size tend to trigger legal responses in more than one jurisdiction) is that no two jurisdictions’ laws on data breach responses seem to be the same. This means that responses are given in a cascade – which is often perpetuated as follow-up correspondence with regulators is usually required. It may be sensible, therefore, for jurisdictions to adopt an approach taken by another relevant jurisdiction, rather than exacerbating the tapestry of response rules by creating their own. The General Data Protection Regulation (“GDPR”) is notably harsh in relation to breach notifications (generally mandating a notification within 72 hours), so perhaps the Australian threshold and timeframe (reasonable person would conclude likely result in serious harm, and notification in 30 days from becoming aware) might be more appropriate. The proposed approach within the Panel paper, however, would seem to entail producing something bespoke for Hong Kong.
An alternative legal approach is to specify the number of affected data subjects as the threshold. This has the benefit of giving some certainty but is a blunt instrument as often the seriousness of the breach is affected more by whether the lost data was encrypted, whether financial data was lost and the value of data to a bad actor whether on the dark web or otherwise.
Data Retention Period
The current Data Protection Principle 2 under the PDPO provides that data users shall take “all practicable steps to ensure that personal data is not kept longer than is necessary for fulfilment of the purpose (including any directly related purpose) for which the data is or to be used”. However, no definitive period of retention is specified. The suggestion in the Paper is that data users be required to formulate a clear retention policy with specified periods for the retention of relevant classes of data they hold.
Data retention periods specified in law and regulatory requirements are fraught with difficulty for a number of reasons:
- different regulators have different rules as to how long data should be retained. Some financial service regulators, for example, want their regulated entities to keep their customer data for much longer than a privacy regulator would think desirable. Naturally, data tends to get kept for the longer rather than the shorter period;
- the majority of companies do not have an effective (or perhaps, cost effective) method of timeously purging their databases of expired data. Often this only comes to light when there is a data breach and the data user has to admit that it was holding ancient data, possibly in breach of its own data retention policies. Usually, a company of any size has a number of systems, each with their own quirks as to data purging, and this exacerbates the problem; and
- the issue is afforded low priority by data users. There is little precedent for enforcement action being taken solely in relation to over-extended retention of personal data.
Maximum retention of data is generally, as a rule of thumb, 7 years – which is reflective of the 6 year limitation period for legal proceedings being taken on normal contracts. However, employee related data, needs to be kept for the length of the employment, plus say 2 years (or, some may argue, plus 7 years). Data to support a tax return needs to be available for however long the tax authority retains the power to re-open the tax assessment, which can be far in excess of 6 years. Pension related data may need to be kept for the life of the person contributing to the pension (extended for the life of their surviving spouse in some cases).
As such, the practical implementation of a data retention policy is not as clear-cut a requirement as this proposed amendment may at first seem.
There are two areas for consideration here that will impact legal risks to data users:
- first, the level of fines which may be levied (custodial sentences are available but never, to date, imposed); and
- secondly, whether the Privacy Commissioner should in any circumstance be able to levy its own administrative fines.
Although the fines available for breaches of the direct marketing laws brought into the PDPO in 2012 include fines of up to HK$500,000 or HK$1,000,000, breaches of other provisions of the PDPO are generally capped at HK$50,000. Even those convicted of direct marketing offences tend to receive fines in the order of HK$20,000 (probably less than one tenth of the costs of defending the charge). The current level of fines in Hong Kong is wholly inadequate to act as a deterrent (although the publicity surrounding such a conviction might be).
Consideration is being given as to whether fines should be linked to the annual turnover of the data user. This is more akin to the approach taken in the EU; whereby the maximum available fines is EUR20 million or 4% of the company’s global annual turnover in the preceding year, whichever is higher.
GDPR’s headline grabbing fines linked to a percentage of annual turnover are not (as explained by the United Kingdom’s Information Commission’s Office) intended to increase the level of fines for most infringements. They are specifically designed as a stick to beat large multi-national infringers. This may be seen as part of a tit for tat escalation of regulatory action between US and EU regulators. Hong Kong may not wish to enter that particular contest. However, the current level of fines in Hong Kong is wholly inadequate to act as a deterrent.
Perhaps Hong Kong should be satisfied to set fines consistent with a regional benchmark. It is suggested that Hong Kong should have available fines at least as fulsome as Singapore’s (S$1million), AND Hong Kong Courts should adopt a tariff system which imposes fines (where deserving) at the upper ends of the spectrum.
The Paper suggests, following the PCPD’s long standing request, that the PCPD should have the power to impose administrative fines. This is on the basis that the data user should be given appropriate time to make representations, as well as being afforded a right to appeal to the administrative appeals board.
Several LegCo members expressed support (albeit in the context of doxxing – see below) for granting power to the PCPD to carry out criminal investigation and prosecution.
The PCPD also explained that currently it is facing difficulties in conducting investigations and collecting evidence, therefore this proposed expansion of the PCPD’s power is necessary. The decision whether to prosecute or not will still remain with the Secretary of Justice.
Regulation of Data Processors
Data processors are a specific category of regulated entities in several major privacy laws globally.
It was therefore an unfortunate omission from the original PDPO (drawn up in 1995) that obligations to protect personal data were imposed on data users (called controllers in most other jurisdictions) and not data processors as well. Although data users are supposed to impose equivalent protections on the data processors with whom they deal (and are incentivised in this respect by the fact that data users retain responsibility for the data defaults of their processors), from the perspective of the regulator and the data subject, it makes much more sense to impose statutory obligations upon processors directly. Such regulations were recommended in the run up to the 2012 revisions to PDPO, but were not brought forward, seemingly to make way for the direct marketing laws.
The Paper urges direct accountability of data processors in the areas of data retention, security and breach notification. This is consistent with leading international practice and should be supported.
Definition of Personal Data
This is arguably the most significant proposal and a potential game changer for BigTech, financial institutions and other users of big data and AI systems.
The current definitions of “personal data” under the PDPO includes information that relates to an “identified” person. The suggestion is that the definition is expanded to include data that relates to an “identifiable” natural person.
This definition, if accepted, would align the definition under the PDPO with definitions adopted in other jurisdictions including the EU, Australia, Canada and New Zealand.
An “identifiable person” is a living individual who can be identified, directly or indirectly, by reference to an identifier. Fundamentally, whenever you distinguish one individual from another, you are identifying that individual. As such, a wide category of information may potentially be captured by the proposed amendment (ie location, online identifiers, IP addresses, cookie identifiers etc).
The purpose of this change is to reflect the wide use of tracking and data analytics technology. The proposed amendment recognises that the rapid development of big data, artificial intelligence and related technologies has created unanticipated privacy risks. In particular, analytics technologies are capable of collecting wider scopes of data than previously anticipated. In many instances, the collection of raw data for data analytic purposes falls short of the PDPO definition, meaning that such collections are not subject to regulation under the PDPO. As an example, we can consider the collection of location data. This data may be collected for the purpose of determining where the strongest concentration of customers are based so that a business knows which areas to focus its marketing activity in. This data is unlikely to amount to data in relation to an “identified” person and so may be unregulated. It may however, allow an individual to be indirectly identified by reference to this data particularly when coupled with other data points.
The PCPD is concerned to raise the protection of individuals in such instances. Thus, the expansion of the definition will capture and thus regulate a wider array of activities.
The consequence will be that data controllers are not only going to have to protect more types of data, but also to consider what existing data held (previously not considered personal data) now falls within the definition.
Practically speaking, the upshot of this change will include the following:
- there will be a requirement to understand and identify the raw data obtained by existing systems so that such data can be properly characterised;
- existing Personal Information Collection Statements (“PICS”) / privacy statements may need to be amended to reflect the extended scope of activities caught and ensure consent has been properly obtained where required; and
- new security measures may need to be introduced to ensure that such data is protected against unauthorised or accidental access, processing, erasure, loss or use.
Internet platforms and other companies continue to grapple with the misuse of social media and communication tools, which can cause considerable psychological (and even physical) harm to users when their personal data is published online.
In this respect, Hong Kong law is arguably ahead of the curve. Namely, section 64 of the PDPO already addresses doxxing. However, there are two hurdles in the current situation in Hong Kong:
- as the PCPD has no practical enforcement power on its own, it has to bring its request for investigation and enforcement to the Hong Kong Police Force (“Police”). Most of those subject to doxxing in past months have been members of the Police or their families but there have also been complaints against Police. This comes across as awkward; and
- effective enforcement involves take-down requests being made to internet service providers and other cogs in the social media chain. Although the Paper indicates that the PCPD has an impressive 70% success rate in such take-down requests, there may be room to shortcut some of the procedures via a statutory protocol.
The Government is studying how to amend the PDPO so as to limit doxxing more effectively. This may also involve conferring on the PCPD statutory powers to require the removal of doxxing materials from social media platforms or websites, as well as the powers to carry out criminal investigations and prosecutions.
Many of the LegCo members also raised concerns about the disclosure of personal data, both on online platforms and on “Lennon Walls” in public places.
The PCPD stated that enforcement notices have been effective and 100% of Hong Kong online platforms have complied with enforcement notices to remove posts with personal data. However, it is harder to demand overseas websites to do the same. Administrative fines would assist the PCPD to carry out actions against the online platforms.
The PCPD’s power to ask for removal of personal data in public spaces is not limited to online platforms. The PCPD had actively sought assistance from relevant authorities in removing personal data posted on Lennon Walls and encourages the public to submit reports to assist the PCPD in conducting removal.
The Secretary for Constitutional and Mainland Affairs (“Secretary”) states the proposed measure of empowering the PCPD to carry out criminal investigation and prosecution will significantly enhance the efficiency of dealing with doxxing instances.
And a few matters that do not fall within the current review
Section 33 and cross-border transfer of data
Section 33 of the PDPO relates to protections for offshore transfers of data, but has never been implemented formally (although the PCPD and other regulators encourage compliance).
Many LegCo members expressed concerns that the Government is delaying the enactment of section 33 of PDPO, and the personal data of Hong Kong citizens are at the risk of being improperly transferred to other jurisdictions with poor protection of personal data.
The PCPD admits that there is not any timeframe for the enactment of section 33 at the moment. However, the PCPD is currently working on two guidelines on the cross-border transfer of data by organisations and data processors (such as cloud providers). It aims to release these guidelines in the first half of 2020.
This may not change the law immediately, but it will be relevant to a number of companies such as financial institutions, to whom PCPD guidance or similar standards are often made semi-mandatory (through a link to their obligation to remain “fit and proper” to retain a licence) by their regulators.
Dealing with sensitive data
The current regime does not have effective protection for sensitive data, such as biometric or medical data. Extra precautions for such data are only contained in thematic and non-binding guidance, making enforcement complex.
Regulation of sensitive data was recommended to be included in the results of the pre-2010 consultation on PDPO enhancement, but was not carried forward then. The PCPD and the Secretary said they will consider this in the proposed amendment.
If enacted, policies and procedures (and indeed systems) will need to be calibrated to ensure that they appropriately differentiate between regular personal data and sensitive data.
Watch this space
These six developments are deceptively modest on paper, but will result in the need for control, systems, resource and contractual enhancements if implemented.
We strongly recommend carefully considering their potential impact and monitoring for any further developments.