On 28 January, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published his annual report on 2014 complaints and enforcement activity under the Personal Data (Privacy) Ordinance (the "PDPO").
The report shows that heightened public awareness of privacy issues, as demonstrated by high levels of complaints, is the "new normal" for Hong Kong. Enforcement action by the Commissioner has continued with the exponential growth that began in the wake of the Octopus direct marketing affair in 2010.
The report is also notable for setting out the Commissioner's statement of priorities for 2015, with focus areas including the public's use of mobile apps, a survey of publicly available government databases and continued advocacy for a comprehensive approach to compliance through his Privacy Management Programme guidance.
High Levels of Public Complaints are the "New Normal"
The Commissioner's report of a year ago showed a significant uptick in the number of complaints in 2013, largely reflective of the implementation of new direct marketing regulations in April of that year. As a consequence of those reforms, in 2013, complaints soared 48% from 1,213 to 1,792. The figures for 2014 suggest this is the "new normal" for privacy awareness, with public complaints to the Commissioner's office more or less holding steady at 1,702 for 2014.
However, it is noteworthy that the sustained high levels of complaints comes notwithstanding a significant drop in direct marketing complaints (the cause of last year's surge) from 538 in 2013 to 277 in 2014, suggesting that the current high levels of complaints come from a broader base of regulated activity than just direct marketing.
Continued Exponential Growth of Enforcement Notices
Corresponding to the sustained public interest in privacy issues now seen in Hong Kong, the number of enforcement notices issued by the Commissioner has continued to soar. In 2011, the Commissioner issued one enforcement notice. In 2012 there were 11 and in 2013 there were 25. Last year saw the number of enforcement notices more than triple, surging to 90. The First Prison Sentence under the PDPO
2014 saw the first prison sentence handed down under the PDPO. An insurance agent received a sentence of 4 weeks' imprisonment after being found to have given the Commissioner false information. The charges related to the agent's apparent misconduct in selling an insurance policy under the false pretence that he continued to be employed by an insurance company he no longer worked for. The conviction under the PDPO related to information given to the Commissioner in connection with his investigation. The former insurance agent was also convicted of fraud and using false instruments.
Data Security Breaches on the Rise
2014 saw a significant year on year increase in the number of data security breaches reported to the Commissioner, rising from 61 in 2013 to 70 in 2014. Unlawful access to personal data through hacking and other means has been on the rise in Hong Kong as elsewhere, a phenomenon contributing to the continued growth in security breach notifications.
Internet and Telecommunications Infractions
The Commissioner highlighted that much more of his investigatory work in 2014 related to the internet and telecommunications services than ever before, with complaints more than doubling from 93 in 2013 to 206 in 2014. In particular, the Commissioner pointed to mobile apps and social networking, personal data disclosures on the internet and cyber-bullying.
Strategic Focus for 2015
The Commissioner has confirmed that in 2015, amongst other things, there will be a special focus on a number of areas, including the following:
Mobile Apps and Telecommunications: Throughout 2014 the Commissioner was very active in relation to privacy issues surrounding mobile apps, including his leadership in the Global Privacy Enforcement Network's global survey of mobile apps (see Hogan Lovells briefing "Hong Kong Privacy Commissioner takes lead on Privacy Regulation of Mobile Apps", December 2014). The GPEN study found that 85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information and the Commissioner made it clear that if standards in Hong Kong did not improve, enforcement action against offenders would not be ruled out. The Commissioner chose 2014's doubling of complaints relating to mobile apps, internet and telecommunications services as his headline point for his look back at 2014, so we can expect his focus on this area to continue through 2015.
Public Registers: The Commissioner identified the use of personal information held on public registers as a priority for 2015. These large holdings of personal data, including sensitive personal data relating to bankruptcies and legal proceedings, have given rise to enforcement issues in Hong Kong in the past, in particular the "Do No Evil" mobile app that allowed users to search a consolidated database of public register details about prospective employees, tenants and business partners. Publicly available information holds a controversial and hotly debated position in data privacy regulation. In some jurisdictions, such as Singapore, publicly available information is expressly excluded from protection under data privacy law. In Hong Kong, there is no such exemption.
Privacy Management Programme: The Commissioner pledged to continue to press for greater awareness and uptake of his Privacy Management Programme guidance, which encourages businesses to take a "top down" and holistic approach to organisational data privacy compliance, citing increased public awareness and concern for Big Data as the driver for this initiative.
What Does the Commissioner's Report Mean for Businesses?
The Commissioner's report on 2014 is striking for a number of reasons, in particular the sustained public awareness of data privacy issues in Hong Kong, as evidenced by persistently high levels of complaints, and for the increasingly stiff compliance environment for Hong Kong businesses. The Commissioner is very active in his advocacy of privacy issues, both in Hong Kong and on the international stage. Businesses can expect his priorities for 2015 to reflect both local focus points of public awareness and his role in advancing global privacy initiatives, such as the "Right to be Forgotten" that seeks to require internet service providers to remove links to news stories and moves towards greater transparency in the processing of personal data by mobile apps and social media.
But leaving aside some of the wider initiatives that stand at the cutting edge of data privacy regulation, the Commissioner's advocacy of his Privacy Management Programme is in many ways the most critical aspect of compliance for Hong Kong businesses. A comprehensive review of data processing practices and procedures always has been best practice. The difference now is that the risk of privacy complaints and more aggressive enforcement action make the need for compliance far more apparent.
Key points for business are:
- Do you have a handle on the personal data that you are processing?
- Are your privacy consents and policies up to date, reflecting any changes in the data that you capture, the technology that you use and the purposes for which data is processed?
- As your business moves towards greater use of mobile and cloud technology, social media and data analytics, do you have the right procedures in place to assess potential privacy impacts and keep your practices and procedures up to date?
The Commissioner's media statement concerning the annual report may be found at: