By Kathryn Weaver, Firm: Lewis Silkin LLP
This article describes the reaction to the entry into force of the GDPR in Hong Kong, the current status of domestic data protection legislation and plans for the future.
As Hong Kong is home to many EU and UK headquartered companies, GDPR compliance has remained a hot topic notwithstanding the geographic distance between these jurisdictions. The Hong Kong Privacy Commissioner for Personal Data (‘PCPD’) has also publicly encouraged Hong Kong businesses to adopt standards more in line with those required by the GDPR, and has flagged that changes to Hong Kong’s data privacy laws are highly likely in order to bring the regime in line with EU requirements.
Until Hong Kong’s data protection laws are updated, however, the GDPR remains a much more onerous regime to comply with. The relative lack of teeth of the Hong Kong laws was highlighted by the recent and widely publicised data breach by Cathay Pacific Airways (‘Cathay’).
On 6 June 2019, the Office of the PCPD published the results of its investigation into the data breach incident by Cathay. This breach was discovered by Cathay in March 2018 but only self-reported to the PCPD in October 2018. No penalties were imposed for the breach, which involved the personal data of 9.4 million passengers and registered users of Cathay’s website from over 260 locations globally. Instead, Cathay was given six months to take remedial actions specified in an enforcement notice.
Under the Personal Data (Privacy) Ordinance (‘PDPO’) Cathay will face a financial penalty if it fails to carry out these remedial measures. The maximum penalty for first conviction will only be HKD 50,000, although also potentially imprisonment for two years. If non-compliance continues after the initial conviction there will be a daily penalty of up to HKD 1,000.
This is obviously a far lesser sanction than would have been awarded under the GDPR. The enforcement notice does not deal with Cathay’s delay in reporting the breach, as there are no mandatory breach notification requirements in Hong Kong, although best practice recommendations in this regard are contained in a guidance note issued by the PCPD. In contrast, the GDPR requires certain types of personal data breach to be reported to the relevant supervisory authority within 72 hours after a data controller becomes aware of the breach. A failure to do so may attract the maximum fine of the higher of EUR 10 million or 2% of global turnover.
However, as Cathay does market its products and services to EU citizens, it is possible that it will face action from an EU regulator and it will be interesting to compare the consequences which arise as a result of the same data breach incident.
It is expected that Hong Kong is headed towards an overhaul of its PDPO following this and other recent high profile personal data breach incidents. Comments made by the PCPD in the Cathay enforcement notice in relation to the principle of accountability are potentially significant. This principle is incorporated into the GDPR and includes requirements to compile personal data inventories and to report data breaches. The PCPD stated that although the principle of accountability is yet to be provided for in the law of Hong Kong, businesses in Hong Kong should be well poised to adopt proactive data management measures now. We agree that the adoption of proactive measures is a sensible strategy. This will not only ensure that a business is better prepared for any future changes to the regime in Hong Kong, but may help to prevent enforcement action in other jurisdictions where the principle of accountability is already enshrined.