Charles Mok 可圈可點

The EU’s General Data Protection Regulation (“GDPR”) has commenced enforcement on 25 May 2018, marking a new era for global data protection. In the past few months leading up to the enforcement, organisations offering online services have been updating their privacy policies and notifying users to give consent en masse. 

In a sense, the EU has set a new bar for global privacy protection regimes by pushing forward a new set of rules with extra-territorial applications – meaning any Hong Kong organization dealing with personal data of EU citizens may also fall within the rules.

The proliferation of industry practices that track users across the web and through various devices, means the rules that govern it needs to adapt. The revelations from Facebook and Cambridge Analytica incident shows just the tip of the iceberg about the problems of collecting and using personally-identifiable data to create profiles for targeted advertising and analysis. 

Hong Kong has seen more large-scale data breach in both public and private sector affecting hundreds of thousands of citizens. 2 laptops containing more than 3.3 million voters’ personal information such as name, HKID number, and address were reported stolen after the Chief Election Election in March 2017. More recently, the personal data of some 380,000 Hong Kong Broadband Network customers were hacked in April 2018. Three travel agencies became victims to hackers who encrypted their customer database and demanded ransom with cryptocurrency. 

As the government pushes towards “Smart City”, how should Hong Kong’s privacy laws be updated to address issues coming with innovations such as AI, facial recognition, algorithm-driven decisions and cross-border data transfer, to strengthen privacy, security, transparency and accountability? The following is a broad comparison between EU’s GDPR and Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”).

The data protection of the EU stemmed from EC Directive 95/46/EC which governs the protection of personal data in EU. It sets out a series of principles governing the collection, use, disclosure and handling of personal data. Hong Kong’s PDPO was drafted closely based on the Directive.

The GDPR applies directly in EU member states without enacting legislation, while EU member states can still have legislation with exceptions and derogations. The GDPR revises and extends data protection principles and introduces several new rights for data subjects, while includes heavier sanctions on infringing businesses with worldwide operation.

The law needs an update to enable the city to tackle privacy challenges and embrace innovation opportunities brought about by innovation and technology. So how far behind is Hong Kong’s privacy law that was first enacted before the Internet age?

According to Article 3 of GDPR, the law applies to all data processing in the context of activities of an establishment of data controller or processor in the EU, such as office, sales representative or business activity directed towards an EU member state, regardless of where processing takes place. It also applies to data processing related to offering goods/services to individuals in the EU, or monitoring individuals in the EU, such as tracking or predicting behavior.

Whereas PDPO of Hong Kong applies to data controllers or processors who, either alone or jointly or in common with other persons, control the collection, holding, processing or use of the personal data in or from Hong Kong. (PDPO s.2(1))

The GDPR applies to "Personal data" meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

A wide range of personal identifiers constitutes personal data under this definition, including name, ID number, location data. It also includes online identifiers such as IP addresses and cookie identifiers, reflecting changes in technology and new ways personal data is being collected nowadays.

Personal data that has been pseudonymised can also fall within the scope of the GDPR, depending on the difficulty of attributing the pseudonym to an individual.

Hong Kong’s PDPO, however, defines "Personal data" as any data that relates directly or indirectly to a living individual; or from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.

The GDPR refers to sensitive personal data as “special categories of personal data” (Article 9). The special categories include genetic data and biometric data where processed to uniquely identify an individual. Criminal conviction and offences data are considered to be more sensitive, and may only be processed in more limited circumstances.

Hong Kong’s PDPO has no special categories for ‘sensitive personal data’.

According to Article 5 of GPDR, consent must be freely given, specific, unambiguous, informed and express (for processing of sensitive data only). Consent given by a child below 16 (or 13) requires parental authorization. 

As for Hong Kong’s PDPO, consent is not required for the collection of personal data (unless for a new purpose). Where consent is also required, consent means express and voluntary consent.

Data processors (such as third-party vendors or contractors) are regulated by the GDPR. They have additional obligation under the law such as to maintain records of processing, ensure security of processing, report data breaches and designate Data Protection Officers etc. Data controller must have a written contract binding the processor which sets out nature and purpose of processing and contains specified provisions.

In Hong Kong, data processors are not directly regulated but required to mandate compliance to Data Protection Principles by means of contract or other means.

Hong Kong’s PDPO does not directly regulate or mandate obligations for data processors.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant regulatory authority. This must be completed within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the data controller must also inform those individuals without undue delay.

Hong Kong’s PDPO has no mandatory requirement for breach notification, but recommends reporting to to the Privacy Commissioner and data subjects at the earliest convenience.

The GDPR provides the more rights for individuals: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated individual decision-making (solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

Hong Kong’s PDPO has similar rights for data subjects, but there is no right to erasure (otherwise known as the ‘right to be forgotten’), right to data portability and right about decision by algorithm and right to object to processing (including profiling). The notice requirements for data users and controllers are less extensive. 

The GDPR imposes restrictions on the transfer of personal data outside the EU, to third countries or international organisations, where certification and adherence to approved codes of conduct are explicit requirement for international transfer. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. 

Transfer from EU to non-EU country only permitted if it is necessary for important reasons of public interest; necessary for the establishment, exercise or defence of legal claims; necessary for vital interests of data subject or others; transfer is from a public register or the transfer is not repetitive and is for compelling legitimate interests of controller.

Adequate safeguards may be provided for by a legally binding agreement, binding corporate rules, standard data protection clauses, approved code of conduct, certification, authorized contractual clauses by the supervisory authority.

In Hong Kong, however, section 33 governing cross-border data transfer has never been enforced since the law’s enactment, meaning there is no adequacy decision for Hong Kong. Certification and adherence of an approve code of practice are not legal requirement for transfer. Unlike in GDPR, there is no formal recognition of certification or mechanism demonstrating compliance by data controllers and processors.

The GDPR takes a risk-based approach, and data controllers are required to put in place appropriate technical and organisational measures to meet the requirements of accountability. 

Hong Kong’s PDPO has not explicitly state privacy management measures and accountability priniciples in the law while the Privacy Commissioner advocates best practices such as appointing data protection officers and conducting privacy impact assessments.

One of the most apparent features that is lacking in Hong Kong’s PDPO is that our Privacy Commissioner has little enforcement power such as imposing penalties, resulting in the reliance on serving Enforcement Notices which may only lead to judicial process if the infringing entity fails to comply and rectify.

The GDPR empowers data protection supervisory bodies to impose fines on data controllers and processors which can amount to as much as EUR 20 million or 4% of the total worldwide annual turnover.

Hong Kong’s privacy law lacks not only teeth, but updated definitions, obligations and rights for individuals. 

Our data protection law needs to evolve beyond recent, localised amendments. The present PDPO, to put it mildly, is a decade away from ongoing evolved regulation regime in Europe and the rest of the world. 

The government should engage the public in discussions on how the law needs to be amended, and consult academia, civil society groups, technology and innovation sector in thorough debate.

On 3 July, ISOC HK and my office will host an Hong Kong Internet Governance Forum Roundtable to discuss the intersection of evolving internet technology with privacy law, featuring a multi-stakeholder dialogue with civil society, academia, industry and technical community. 

Register here: https://goo.gl/forms/n9Rz1B7LtdzTrLAh1

Published on Computerworld Hong Kong in June 2018