Marco Raccuia and Carmen Tang talk about the increasing value of data and the protection afforded by the Personal Data Privacy Ordinance and the Privacy Commission. How is legislation catching up in response to recent data breach incidents? What developments can we expect?
SHOW NOTES
00:22 – Growing value of data
03:11 – Personal Data Privacy Ordinance
11:21 – Cathay Pacific data breach incident
15:30 – New technologies
TRANSCRIPT
0.01 Welcome to The HIP Talks podcasts, a series of discussions about current legal issues hosted by Hugill & Ip Solicitors. We are a young independent law firm but with decades of experience providing bespoke legal advice and exceptional client service to individuals, families, entrepreneurs and businesses, both in Hong Kong and internationally.
0.22 [Marco Raccuia] Back in 2017, The Economist published story titled, “The world’s most valuable resource is not longer oil, but data”. Since then, everyone started to realize that data is the new oil. Today Carmen Tang joins us on The HIP Talks. Carmen spent some time at the office of the Privacy Commission for Personal Data in Hong Kong in her early career. We’ll take a look at the big data phenomenon and how data in the 21st century influence decisions and shape our world, in particular about the situation in Hong Kong. Everyone has been talking about the “Internet of Things”, “Big Data” these days, as far as we know, and in general that means that processing of large amounts of data on a real time basis and storing them using different storage technologies, and data processing is not something new. So why does Big Data become something so big and so valuable to an extent it turns data into the most valuable asset on earth?
1.36 [Carmen Tang] Oil was once the most valuable commodity as it was the most important source of energy. Its production supports the operation of homes, organizations and societies, transport requires oil, many everyday essentials have oil elements, but data flow in those days was quite restrictive due to high costs and the lack of channels. Companies that wanted to learn about consumers purchasing pattern, or psychology or other relevant and useful information usually did that by conducting surveys. Surveys were administered in the form of face to face or phone interviews, or mails only.
2.17 [Marco Raccuia] From your point of view what has changed in the recent decade?
2.22 [Carmen Tang] With the expansion of use of internet in late 1990s, all of a sudden, data collection and storage has not just become something which everyone can afford, but in fact very cheap. Coupled with other technological advancements, like the evolution of artificial intelligence, the pace of information growth has drastically increased to an extent which no one can imagine.
2.46 [Marco Raccuia] So why data is more valuable than oil?
2.49 [Carmen Tang] Compared to oil which requires lots of resources to be transported and stored, the best thing about data is that it is intangible. In its raw form, data can become any number of things. Some people even compare data to energy sources like the sun, water, and wind as there is an abundance of those.
3.11 [Marco Raccuia] Yeah, speaking of abundance, a writer once mentioned that the more data you get, the less you know about what’s really going on, and the more the whole thing gets complicated. In this respect, can you please tell us what protection is available in Hong Kong in terms of data usage and what the laws are? And do you think that because of having too much data, things are really getting out of control?
3.40 [Carmen Tang] In Hong Kong, we have the Personal Data Privacy Ordinance, which is one of the Asia’s longest standing comprehensive data protection laws. It was passed in 1995. The ordinance then underwent major amendments in 2012. The most significant of which being the introduction of direct marketing provisions, and other additional protection to cope with new privacy challenges and address some of the public concerns. Apart from the ordinance itself, the Privacy Commissioner Office also issues guidance notes, information sheets and other types of publications on and off, so as to assist data subjects and also data users in understanding respective legislative provisions, in particular, their rights and obligations. One special feature of our legislation is that, first, it is principle based, and second, it is technology neutral. They were designed in a way to stay ahead of information and communications technology development. Another thing is that the ordinance was enacted to regulate the handling of personal data. That is not each and every kind of data is included in the ordinance, meaning only information which relates to a living individual and can be used to identify that individual. So, I believe that everything is still under control.
5.06 [Marco Raccuia] So, you mentioned that the ordinance is principle based, but what specific principles are you referring to?
[Carmen Tang] The soul of the ordinance is the six data protection principles, which govern the lifecycle of a piece of data. Briefly, data lifecycle is like firstly, data is collected by data user from data subject or other sources, then the respective data user uses the data for specific purpose and at the same time data has to be stored. While the data user is retaining the data, the data subject may wish to access the same for their own special purposes.
5.45 [Marco Raccuia] With information and communication technology development, for example, nowadays people are talking about the use of smart lampposts by governments, something which did not really exist, for example, back in the 90s. In your opinion, will technological change always be one step ahead of the privacy regime in Hong Kong?
6.10 [Carmen Tang] Good question. I think we should also bear in mind that our legislation as I mentioned earlier, it is technology neutral in the sense that data protection principles will hardly be out of touch with reality over time. Let’s talk about the smart lamppost which you have brought up earlier. In around July 2019, the Hong Kong government’s Chief Information Officer, held a briefing on the operation of smart lampposts: it is understood that some 400 smart lampposts expected to be installed in the coming three years in districts with higher pedestrian and traffic flow. Since the end of June 2019, 50 smart lampposts have been put in place, other than that the briefing was full of computer and technical jargons, which were not quite helpful in assisting the public in understanding the operation. However, when you try to fine tune your brain by looking at the matter with reference to the six data protection principles, you will have a clear picture of things which are totally unclear.
7.13 [Marco Raccuia] Interesting.
7.15 [Carmen Tang] So first, before we go into some of the data protection principles, we have to know what data will be collected. Despite the fact that these expensive devices are equipped with cameras, Bluetooth beacons and other REID technology, the Chief Information Officer claimed that lampposts do not carry any facial recognition function, and that the images taken will not be sent to any third party for facial recognition applications. That said, given the discrepancies within government documents located by some of the concern groups, and the widespread use of surveillance devices in Mainland China, it is totally reasonable that the public see the installation of the high tech lampposts as a sign of creeping digital surveillance.
8.02 [Marco Raccuia] It looks like we’re pretty much in the dark here.
8.05 [Carmen Tang] So let’s now take a look at the principles and see whether the situation is really bad. Data Protection principle one regulates collection of personal data. Data can only be collected for lawful purpose. But then data collected should only be necessary but not excessive. Assuming that personal data is indeed collected through the smart lampposts, in which every pedestrian walking on the streets in Hong Kong is data subject, how can he or she ensure those data collected are not excessive?
8.36 [Marco Raccuia] Exactly.
8.37 [Carmen Tang] So you see, according to the Chief Information Officer, data collected through the lampposts is to be used for: first, promoting smart city development in Hong Kong and second, supporting 5G mobile network implementation. So the purpose seems so broad, that the necessity tasks can pass pretty easily. For Data Protection Principle 2 it touches on duration of retention of personal data. Data cannot be kept longer than it’s necessary for the fulfilment of the purpose for which the data is used. Promotion of a set of development can actually be a forever thing.
9.16 [Marco Raccuia] It sounds like we’re really have an issue here. Now let’s take a look at Principle 6. Principle 6 provides data subjects with the right to request access and correction of their own personal data. Let’s say a data user should give reasons when refusing a data subjects’ request to access or to correct his or her personal data. In specific relation to smart lampposts, the position of the government seems to be that no personal data will ever be collected if surveillance cameras may unintentionally capture the human face of an individual, appropriate measures will be taken to lower the image resolution through, for instance, what if individuals believe that they’ve been identified and would like to file a request to access the relevant data? Here it comes the question: who is the data user? Because it seems that the chief information officer did not make that very clear during the briefing he had in July 2019.
10.33 [Carmen Tang] True. Given the uncertainty raised by the public, the Chief Information Officer has provided further information in relation to the data users involved shortly after the meeting, which includes the Environmental Protection Department, Hong Kong Observatory, Lands Department and Transport Department. According to a table prepared by the Chief Information Officer, types of device used, functionality of the respective device data which will be collected and privacy protection measures, which the Chief Information Officer has adopted are also elaborated. The public can find all relevant consultation papers and press release in relation to the multifunctional smart lampposts pilot scheme on the Chief Information Officers website.
11.21 [Marco Raccuia] So, noting that Principle 4 relates to data security, there have been many data leakage incidents in different fields over the past few years like social media platforms, and airlines, enforcement agencies, so on and so forth…
11.40 [Carmen Tang] In fact, I believe no one would actually forget about the data breach incident of the unauthorized access to personal data of Cathay Pacific and Hong Kong Dragon Airlines passengers in 2018. Passengers, approximately 9.4 million, from many countries were affected. The Privacy Commissioner’s Office recently completed their investigation of the incident and released it the investigation report on June 6 2019.
12.09 [Marco Raccuia] So, Carmen, what were the Commissioner’s findings?
12.11 [Carmen Tang] The Commissioner found Cathay Pacific had actually contravened Principle 4 and that Cathay Pacific had failed to take reasonably practical steps to protect its passengers’ data against unauthorized access in terms of vulnerability management, adoption of effective technical security measures and also data governance. Besides, the Commissioner also noted Cathay Pacific had kept Hong Kong ID card numbers of the affected passengers longer than was necessary for fulfilment of the verification purpose for which the data was used. Thus, an enforcement notice was served on Cathay Pacific, directing them to engage an independent data privacy expert to overhaul the systems containing personal data, and also to conduct reviews and tests of security of the Cathay Pacific’s network, and also devise a clear data retention policy and completely eliminate all unnecessary Hong Kong ID card numbers collected from Asiamiles membership program. For further details of the notice, they can be found on PCPD’s website.
13.23 [Marco Raccuia] So but what conclusion in your opinion, we can foresee, perhaps any class action or monetary penalty?
13.32 [Carmen Tang] In Hong Kong impacted individuals may apply for legal assistance for seeking compensation from a data user for damage suffered as a result of breach of the Ordinance. However, we do not have class action in Hong Kong. As far as I know, affected passengers in other countries especially the European ones, may have already commenced class actions against Cathay Pacific for contravention of the relevant provisions under the GDPR.
14.01 [Marco Raccuia] Another very important matter which I think everyone knew when Cathay Pacific made their announcement in October 2018, is that Cathay Pacific had in fact, detected suspicious activity back to March of the same year. Unfortunately, Cathay Pacific chose not to notify the affected passengers that time. So how can we avoid such behaviour by companies?
14.32 [Carmen Tang] Given that there being no statutory requirements under the ordinance for a compulsory data breach notification, the Commissioner found no contravention of the ordinance on Cathay Pacific. That said, one should actually bear in mind that the whole data breach reporting mechanism does not exist for the sake of compliance only, it is about managing the legitimate expectations of both the customers and the regulators. In particular, for multinational corporations, it is reasonable for the customers to expect the companies to advise them of the incident and the appropriate steps to take so as to minimize further loss and damage arising from the data leakage. Even our current legislative regime does not require data users to issue such notifications. Processing personal data ethically can certainly improve business reputation and enhance stakeholders confidence.
15.29 [Marco Raccuia] Absolutely. I recall you mentioned about surveillance devices in Mainland China when we were earlier discussing about installation of smart lampposts. I understand that facial recognition technology, it’s highly adopted in China. How so?
15.45 [Carmen Tang] Recently, I read an article on The New York Times in relation to collection of DNA samples in China. Chinese scientists are trying to find a way to use DNA samples to create an image of a person’s face. Experts on ethics are worried that China is actually building a tool that could be used to justify and intensify racial profiling. It may even be possible for the PRC government to fit images produced from a DNA sample into the mass surveillance and facial recognition systems that is building, tightening his grip on society.
16.20 [Marco Raccuia] Can introduction of legislation or specific regulations assist in protecting the public against any misuse of biometric data collected by the Mainland China government or even other governments around the world?
16.36 [Carmen Tang] It should be. But most important of all data subjects should voice their concerns that whenever they discover that data is being misused. In China, it is generally believed it to be more accepting of trading privacy for security and stability. You see students are required to wear brainwave trackers in some schools in China. And those schools found that it wasn’t hard to get parental consent for collection of those brainwave data from their children. Parents actually and truly believe wearing those brainwave reading habits can improve their kids’ concentration efforts.
17.15[Marco Raccuia] Obviously, they have a long way to go in educating the public about privacy rights and risks. So thank you Carmen for your insights today and really looking forward to your future updates about data privacy issues.
[Carmen Tang] Thank you very much.
17.38 Be sure to catch our other episodes of The HIP Talks podcasts by checking the insights section of our website at www.hugillandip.com and please send us your comments by writing to our email address hello@hugillandip.com. Also, please feel free to share this episode of The HIP Talks podcasts with your friends, family and associates.
This podcast is for informational purposes only. Its contents do not constitute legal or professional advice.
