Carmen Tang discusses current legislation in Hong Kong related to personal data breaches and expected developments – similar to what has already happened in other more sophisticated jurisdictions as EU, Canada and Australia. A new mandatory data breach notification mechanism could happen through an update of the Personal Data (Privacy) Ordinance, which most likely would also introduce related penalties.
SHOW NOTES
00:19 The Privacy Commissioner and data security
01:07 The situation in other jurisdictions
01:37 The importance of a mandatory data breach notification mechanism
02:19 Plans to introduce a notification mechanism
03:11 Definition of personal data breach
03:28 Notification threshold
03:41 Notification timeframe
04:01 Mode of notification
04:37 Penalty
TRANSCRIPT
No matter how careful one is, data leakage through cyber-attacks seems inevitable. Human-based errors can often compromise sensitive data.
00:19 The Privacy Commissioner and data security
In Hong Kong, the Personal Data (Privacy) Ordinance requires data users to take all practicable steps to prevent unauthorized or accidental access of personal data. Unfortunately, there is currently no statutory requirement for data users to notify the office of the Privacy Commissioner or the data subject in case of a data breach. At present, relevant notification is made on a voluntary basis. That said, the Privacy Commissioner strongly advise data users to submit data breach notification to the Office as a recommended practice for proper handling of such kind of incident.
01:07 The situation in other jurisdictions
You may have heard of European Union’s General Data Protection Regulation which came into effect in May 2018. Under the said Regulation, data users generally must report breaches of personal data within 72 hours of notice of the breach. Indeed, many jurisdictions other than the European Union – like Canada, Australia – have similar rules.
01:37 The importance of a mandatory data breach notification mechanism
The risks of data breaches have grown immensely since GDPR was introduced in 2018. For example, Yahoo UK arm was fined GBP250,000 over a data breach affecting more than 500 million users; Facebook was fined GBP500,000 regarding the Cambridge Analytica scandal; Google Inc. was the Information Commissioner’s Office in UK announced its intention to issue a fine of GBP183.4 million to the British Airways and a sum of around GBP99 million to Marriott International.
02:19 Plans to introduce a notification mechanism
The Hong Kong Government is formally reviewing and studying possible amendments to the ordinance jointly with the Office of the Privacy Commissioner, aimed at strengthening the protection of personal data in Hong Kong. In late January 2020, the Constitutional and Mainland Affairs Bureau published a paper for discussion at the Legislative Council Panel meeting.
We note that among the six proposed amendments to the Ordinance, the introduction of mandatory data breach notification mechanism is included so that the Privacy Commissioner could monitor the handling of data breaches by organizations concerned. The Bureau considers the following matters should be taken into account when establishing the said mechanism:
- (03:11) Definition of personal data breach
It could mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- (03:28) Notification threshold
The Bureau finds that a data breach having “a real risk of significant harm” should be reported by the data user to the Privacy Commissioner and impacted individuals.
- (03:41) Notification timeframe
The data user should notify the Privacy Commissioner within a specified timeframe once they become aware of the data breach. The Bureau believes “as soon as practicable” and, under all circumstances, in not more than five business days is reasonable.
- (04:01) Mode of notification
The Bureau is considering allowing data users to make written notification to the Privacy Commissioner by way of email, fax or post. Possible information to be specified in the notification include a description of the data security incident, the cause of the data breach, the type and amount of personal data involved, an assessment of the risk of harm, the remedial action taken by the data user to mitigate the risk of harm and the action that the data subjects should take to protect themselves against the risk of harm.
- (04:37) Penalty
It is not specified in the LegCo consultation paper. That said, we suspect the HK Government may consider directly impose administrative fines on data users for failing to notify data breach incident on time. The said fine may link to the annual turnover of the data user, which is similar to the current rules under GDPR.
This video is for informational purposes only. Its contents do not constitute legal or professional advice.
