Proposed Amendments of the Personal Data (Privacy) Ordinance

On 13^th January 2020, the Constitutional and Mainland Affairs Bureau (“the CMAB”) published a paper (LC Paper No. CB(2)512/19-20(03)) (“the paper”) for discussion at the Legislative Council Panel on Constitutional Affairs meeting on 20^th January 2020. The paper detailed a review of the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”), including six proposed amendments. The six amendments to the Ordinance arise out of ongoing technological advances that challenge the protection of personal data privacy public, and public concerns regarding the adequacy of the Ordinance. Consequently, the six amendments aim to strengthen the protection for personal data in Hong Kong by more closely aligning the Ordinance with the General Data Protection Regulation (“GDPR”) of the European Union; the paper also makes reference to legislation of other jurisdictions[1] for review and directions of the Ordinance.

Key elements of the proposal

1: Mandatory Data Breach Notification Mechanism

At present, the Ordinance does not require data users to notify the Office of the Privacy Commissioner for Personal Data (“PCPD”) where a data breach occurs. The proposed amendment will introduce a mandatory notification mechanism in the case of a data breach; the data user must report the breach to the PCPD  within a specified time frame. The paper indicates that the mechanism will consider: a definition of “personal data breach” with reference to the GDPR[2]; a threshold requiring “real risk of significant harm” for notification to the PCPD and impacted individuals and; the mode and contents of notification to the PCPD and impacted individuals.

2: Data Retention Period

The paper recognises it would be “practically infeasible to set [a] uniform retention period” under the Ordinance. To address this issue, the second proposed amendment considers amending Data Protection Principle 5 to expressly require “the data policy of data users to include a data retention policy,” which would specify a retention period for the collected data. The mechanism should include: “maximum retention periods for different categories of data; legal requirements which may affect the designated retention periods; … and how the retention period is counted.”

3: Sanctioning Powers

The third amendment proposes to introduce allowing the PCPD to impose direct administrative fines to “enhance the deterrent effect of the PDPO.” Additionally, to “reflect the severity of the offences,” the amendment proposes increasing the maximum level of administrative fines. The paper references the maximum fine under the GDPR: “€20 million (equivalent to about HK$178 million) or 4% of the company’s global annual turnover in the preceding year, whichever is higher,” and considers introducing administrative fines which will be linked to annual turnover of the data user. The proposal further considers the possibility of classifying data users on a scale where their turnover is referenced in order to impose a level of administrative fine.

4: Regulation of Data Processors

Recognising the increased occurrence of “out-sourcing of data activities like sub-contracting personal data processing work”, the fourth amendment proposes to impose legal obligations on data processors. The paper suggests that holding data processors directly accountable for personal data retention and security, and making notification to the PCPD and the data user mandatory in the case of data breach, will strengthen private data protection and more fairly distribute responsibility with data users.

5: Definition of Personal Data

The fifth proposed amendment to the Ordinance expands the definition of “personal data” to encompass any “information relating to an “identifiable” natural person” (emphasis added); it shifts the definition from protecting data that relates to an “identified” person to include information . Suggesting that the expanded definition will increase protection for personal data, the amendment also aligns the language in the Ordinance with legislation of Australia, Canada, the EU, and New Zealand.

6: Regulation of Disclosure of Personal Data of Other Subjects

The last proposed amendment in the paper is aimed at introducing legislative measures to address incidents of doxxing – the non-consensual disclosure of an individual’s information, particularly for the purpose of harassment – due to the substantial increase in incidents in the past year. Consideration is given to confer the PCPD “statutory powers to request the removal of doxxing contents from social media platforms or websites, as well as the powers to carry out criminal investigation and prosecution, etc.”

Potential Implications

On one hand, the proposed amendments to the Ordinance may increase the protection of personal data privacy in Hong Kong; on the other, the amendments will generate two significant implications for data users:

Firstly, data users and data processors in Hong Kong will be held to stricter compliance requirements, with increased obligations to ensure instances of breach are handled in a timely manner. Data users and data processors will be tasked with additional work: the inclusion of a mandatory data breach notification mechanism (Proposed Amendment 1) will also require data users to conduct additional risk assessment. Proposed Amendment 2 will also require data users to revise their personal data policies to include a data retention policy.

Secondly, the amendments confer onto the PCPD and the Privacy Commissioner for Personal Data (“the Commissioner”) greater powers; this is particularly evident to data users through the increase of sanctioning powers (Proposed Amendment 3), and in the consideration to introduce legislative amendments to address doxxing (Proposed Amendment 6). While accountability has been heightened for data users, and more power has been proposed for the PCPD, the proposed amendments also indicate an increase in direction and guidance from the Ordinance and PCPD.

Further Considerations

Several issues may be raised for further consideration:

• Timeline: there is currently no proposed timeline for the amendments to take effect [what else needs to happen before legislation is amended?].
• “Real risk of significant harm” assessment: it is unclear whether the mandatory data breach notification mechanism (Proposed Amendment 1) will follow the assessment guidelines set out in Article 33 and Recital 85 of the GDPR.
• Consequences for failure to comply: the paper does not address what consequences may incur for data users who fail to comply with requirements including the mandatory notification mechanism (Proposed Amendment 1) or the specification of data retention period (Proposed Amendment 2).
• Consent of data subjects: Human Rights Watch submitted[3] that the Ordinance should require data subjects “must give their explicit consent” to data collection, usage, or sharing in a manner which is “easy to find, and easy to understand.” Currently, the Ordinance only requires data subjects to be informed of data collection, and “explicit consent [to be given] for data collection when the data is used for new purposes or when it is transferred for marketing”; requiring consent will strengthen the rights of data subjects.
• Right to erasure of personal data: Human Rights Watch also submitted[4] that the Ordinance “does not give [data subjects] the right to have their information removed or to be de-indexed from search engines.” To more closely align the protection afforded by the Ordinance, it should be amended to allow data subjects to request data users to delete held data in certain circumstances.
• Section 33 of the Ordinance: Section 33 of the Ordinance deals with the transfer of personal data to places outside of Hong Kong. Since the enactment of the Ordinance in 1996, Section 33 has still not been enacted. The amendments to the proposal fail to address the section to bring it into operation.

To sum up

The proposed amendments appear to better align the Ordinance with the GDPR and legislation in other jurisdictions. As the paper identifies the “cause of incidents of personal data privacy breaches [to have] recently shifted … to [situations] related to digital platforms and data security, such as personal data breaches, hacker attacks resulting from security loopholes and improper disclosure of personal data of others on online platforms,” it seems as though the amendments, if passed, will enhance the protection of personal data privacy in Hong Kong.

 

Our team at Hugill & Ip has extensive experience in dealing with Data Privacy issues – so kindly get in touch with us to find out how our solicitors can help. 

This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.