The Constitutional and Mainland Affairs Bureau (CMAB), together with the Privacy Commissioner for Personal Data (Privacy Commissioner), published a consultation paper raising important data protection issues and proposing possible amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) on 20 January 2020.
This move followed the review of the existing data protection regime in Hong Kong.
The consultation paper seeks feedback from members of the Legislative Council and experts expect that more specific proposals for reforms to the PDPO will be made at the appropriate time.
However, there is currently no information in the consultation paper pertaining to an express timeframe for the completion of this review process or when specific amendments to the PDPO would be proposed.
Experts laid out an overview of the key proposals, as follows:
- Mandatory Data Breach Notification Mechanism
The consultation paper recommended the introduction of a mandatory data breach notification mechanism.
This would require a report to the Privacy Commissioner and impacted individuals in the event of a data breach carrying “a real risk of significant harm”.
The CMAB suggested that the mechanism would ensure that the Privacy Commissioner could more effectively monitor the handling of data breaches by relevant organisations.
In addition, organisations could seek instructions from the Privacy Commissioner with regards to any follow-up actions to mitigate or prevent further loss and damage resulting from the data breach incident.
- Data Retention Period
At present, the PDPO does not specify a definitive retention period and as such data users are left to interpret the meaning of what is considered “no longer necessary”.
The consultation paper suggested that there is a higher risk of a data breach in instances where data is retained for a longer period of time, especially if such data should have been purged and retaining such information was in fact unnecessary.
Whilst the consultation paper acknowledges that it would be inappropriate to propose a uniform retention period in the PDPO that would apply to all types of personal data held by different organisations for different purposes; it was suggested that the PDPO be amended requiring data users to formulate a clear retention policy, specifying a retention period for the personal data collected.
In particular, such retention policy should address the maximum retention periods for the different categories of personal data and data users should disclose how the retention period would be calculated.
- Sanctioning Powers
The consultation paper considered raising the number of criminal fines in order to strengthen the deterrent effect of breaching the provisions of the PDPO.
It was also suggested that the Privacy Commissioner should be empowered to directly impose administrative fines for the contravention of the PDPO, similar to other data protection authorities such as that in the EU, Singapore and the United Kingdom.
In particular, the CMAB and the Privacy Commissioner are deliberating whether it would be feasible to introduce an administrative fine linked to the annual turnover of the data user.
- Regulation of Data Processors
Currently, the obligation to comply with the PDPO applies to “data users” (i.e. an organisation that controls the collection, holding, processing or use of personal data).
The PDPO does not directly regulate “data processors” (i.e., an organisation that processes personal data on behalf of data users).
Data users are required to ensure by way of contractual means that data processors adopt suitable measures to ensure the safety of a data subject’s personal data.
The consultation paper concludes that this level of protection is inadequate, especially as the outsourcing of data has become a common practice in the digital age.
In light of this, it was suggested that the PDPO may be amended so that data processors are directly accountable for personal data retention and security, and render them responsible for notifications to the Privacy Commissioner and the data user upon becoming aware of any data breach incidents.
- Definition of Personal Data
The consultation paper also mentioned possible amendments to the definition of “personal data”.
At present, the definition of “personal data” in the PDPO includes information that relates to an “identified person”. The CMAB is exploring whether to expand this definition so as to include data that relates to an “identifiable natural person” instead.
This proposed amendment was raised in order to tackle the widespread practice of tracking and data analytics technology which is commonly being deployed today by global technology companies.
The issue of doxing was the final area of possible reform raised by the CMAB.
According to the consultation paper, the HKSAR Government is considering whether it would be feasible to amend the PDPO to address the issue of doxing more effectively.
For example, it was suggested that the Privacy Commissioner could be granted statutory powers to order the removal of doxing-related material from social media platforms or websites and be given the power to institute criminal investigations and prosecutions.
Considering the recent wave of major data breach incidents and the rapid technological advancements resulting in new uses of personal data in Hong Kong, the consultation paper recognised a need for enhancing the level of protection currently afforded under the PDPO.
EU member states and the province of Alberta in Canada, as well as the state of California in the United States and other countries in Asia such as the PRC, Australia, Indonesia, South Korea, Taiwan and Thailand, all, have mandatory data breach notification mechanisms in place.
In addition, other common law jurisdictions such as Singapore and New Zealand are expected to introduce similar mechanisms in their data protection regimes as well.
If enacted, the aforementioned reforms will bring Hong Kong closer to being in line with the recent regulatory developments in data protection in other parts of the world.