On 28 January, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published his annual report on 2014 complaints and enforcement activity under the Personal Data (Privacy) Ordinance (the  "PDPO").

The report shows that heightened public awareness of privacy issues, as demonstrated by high levels  of complaints, is the "new normal" for Hong Kong. Enforcement action by the Commissioner has  continued with the exponential growth that began in the wake of the Octopus direct marketing affair  in 2010.

The report is also notable for setting out the Commissioner's statement of priorities for 2015,  with focus areas including the public's use of mobile apps, a survey of publicly available  government databases and continued advocacy for a comprehensive approach to compliance through his  Privacy Management Programme guidance.

High Levels of Public Complaints are the "New Normal"

The Commissioner's report of a year ago showed a significant uptick in the number of complaints in  2013, largely reflective of the implementation of new direct marketing regulations in April of that  year.  As a consequence of those reforms, in 2013, complaints soared 48% from 1,213 to 1,792. The  figures for 2014 suggest this is the "new normal" for privacy awareness, with public complaints to  the Commissioner's office more or less holding steady at 1,702 for 2014.

However, it is noteworthy that the sustained high levels of complaints comes notwithstanding a  significant drop in direct marketing complaints (the cause of last year's surge) from 538 in 2013  to 277 in 2014, suggesting that the current high levels of complaints come from a broader base of  regulated activity than just direct marketing.

Continued Exponential Growth of Enforcement Notices

Corresponding to the sustained public interest in privacy issues now seen in Hong Kong, the number  of enforcement notices issued by the Commissioner has continued to soar. In 2011, the Commissioner  issued one enforcement notice. In 2012 there were 11 and in 2013 there were 25. Last year saw the  number of enforcement notices more than triple, surging to 90. The First Prison Sentence under the PDPO

2014 saw the first prison sentence handed down under the PDPO. An insurance agent received a  sentence of 4 weeks' imprisonment after being found to have given the Commissioner false  information. The charges related to the agent's apparent misconduct in selling an insurance policy  under the false pretence that he continued to be employed by an insurance company he no longer  worked for. The conviction under the PDPO related to information given to the Commissioner in  connection with his investigation. The former insurance agent was also convicted of fraud and using  false instruments.

Data Security Breaches on the Rise

2014 saw a significant year on year increase in the number of data security breaches reported to  the Commissioner, rising from 61 in 2013 to 70 in 2014. Unlawful access to personal data through  hacking and other means has been on the rise in Hong Kong as elsewhere, a phenomenon contributing  to the continued growth in security breach notifications.

Internet and Telecommunications Infractions

The Commissioner highlighted that much more of his investigatory work in 2014 related to the  internet and telecommunications services than ever before, with complaints more than doubling from  93 in 2013 to 206 in 2014. In particular, the Commissioner pointed to mobile apps and social  networking, personal data disclosures on the internet and cyber-bullying.

Strategic Focus for 2015

The Commissioner has confirmed that in 2015, amongst other things, there will be a special focus on  a number of areas, including the following:

Mobile Apps and Telecommunications: Throughout 2014 the Commissioner was very active in relation to  privacy issues surrounding mobile apps, including his leadership in the Global Privacy Enforcement  Network's global survey of mobile apps (see Hogan Lovells briefing "Hong Kong Privacy Commissioner  takes lead on Privacy Regulation of Mobile Apps", December 2014). The GPEN study found that 85% of  the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal  information and the Commissioner made it clear that if standards in Hong Kong did not improve, enforcement action against offenders would not be ruled out. The Commissioner chose 2014's doubling of complaints relating to mobile apps,  internet and telecommunications services as his headline point for his look back at 2014, so we can expect his focus on this area to continue through 2015.

Public Registers: The Commissioner identified the use of personal information held on public  registers as a priority for 2015. These large holdings of personal data, including sensitive  personal data relating to bankruptcies and legal proceedings, have given rise to enforcement issues  in Hong Kong in the past, in particular the "Do No Evil" mobile app that allowed users to search a  consolidated database of public register details about prospective employees, tenants and business  partners. Publicly available information holds a controversial and hotly debated position in data  privacy regulation. In some jurisdictions, such as Singapore, publicly available information is  expressly excluded from protection under data privacy law. In Hong Kong, there is no such  exemption.

Privacy Management Programme: The Commissioner pledged to continue to press for greater awareness  and uptake of his Privacy Management Programme guidance, which encourages businesses to take a "top  down" and holistic approach to organisational data privacy compliance, citing increased public  awareness and concern for Big Data as the driver for this initiative.

What Does the Commissioner's Report Mean for Businesses?

The Commissioner's report on 2014 is striking for a number of reasons, in particular the sustained  public awareness of data privacy issues in Hong Kong, as evidenced by persistently high levels of  complaints, and for the increasingly stiff compliance environment for Hong Kong businesses. The Commissioner is very active in his advocacy of privacy issues, both in Hong Kong and on the  international stage. Businesses can expect his priorities for 2015 to reflect both local focus points of public awareness and his role in advancing global privacy initiatives, such  as the "Right to be Forgotten" that seeks to require internet service providers to remove links to news stories and  moves towards greater transparency in the processing of personal data by mobile apps and social  media.

But leaving aside some of the wider initiatives that stand at the cutting edge of data privacy  regulation, the Commissioner's advocacy of his Privacy Management Programme is in many ways the  most critical aspect of compliance for Hong Kong businesses. A comprehensive review of data  processing practices and procedures always has been best practice. The difference now is that the  risk of privacy complaints and more aggressive enforcement action make the need for compliance far more apparent. 

Key points for business are:

  • Do you have a handle on the personal data that you are processing?
  • Are your privacy consents and policies up to date, reflecting any changes in the data that you  capture, the technology that you use and the purposes for which data is processed?
  • As your business moves towards greater use of mobile and cloud technology, social media and  data analytics, do you have the right procedures in place to assess potential privacy impacts and  keep your practices and procedures up to date?

The Commissioner's media statement concerning the annual report may be found at:

http://www.pcpd.org.hk/english/news_events/media_statemen ts/press_20150127.html ts/press_20150127.html