Sunday, June 24, 2018

[RTHK LTHK] The sorry state of 5G planning in Hong Kong

Dear John, 

How’s life in the Hong Kong Science Park? I know that for several years, you have heeded the call of the government to develop smart city technology and solutions, to help realize Hong Kong’s vision to become a smart city. We have talked a lot about the problems you and other young companies in Hong Kong face — lack of talents, the government’s rigid procurement policies, outdated laws and backward open data policies. 

Before I can tell you when the Chief Executive will be able to fulfill her Policy Address promises tackle those problems, I am sorry to inform you that you may soon face yet another obstacle. 

For many years, Hong Kong has taken pride in our telecommunications infrastructure, especially our mobile services. Hong Kong was among the first in the world to provide 3G and 4G services. But, as other countries and regions are eagerly preparing for their 5G service launch, Hong Kong is in danger of falling behind, and even when services will become available, for the first few years, we may not be able to attain universal coverage of 5G. 

As you well know, 5G services are not just about higher speed of access and downloads. It is a key enabler for many and indeed most of the targets that our government’s innovation and technology policies are trying to reach — smart transport through connected cars and road surveillance, smart healthcare through telemedicine, smart manufacturing, and Internet of things through smart sensors placed all around town, just to mention a few. 

What are our competitors doing? Well, South Korea showcased its 5G services in the Winter Olympics earlier this year, and the US has set a target for first commercial launch within this year. Others like Japan, Australia, Canada and our own China Mainland are aiming at commercial service launch by 2020. 

But, did you know that even as recently as last year, when I questioned the Office of the Communications Authority (OFCA) in the Legislative Council, OFCA told me that they would not determine on the final spectrum allocation — that is, which frequency bands would be used to provide our 5G services, and hence be set aside for auction — until 2020, because the International Telecommunications Union would only by then formally finalize the spectrum selection. Our government officials even claimed that no equipment vendor will provide equipment until that time. 

We in the industry know of course that is not true. After we pressured the government with the telecom industry, our regulator actually quietly and slightly expedited their timetable, launching a final consultation in May on the use of the 3.5GHz band for 5G. Around that time, the United Kingdom is already preparing for their auction of this band, which was completed two months ago in April. So, for Hong Kong, any auction for this spectrum will not happen until late 2019, with spectrum assignment date being fixed for April 2020. That set us behind the UK and South Korea for almost two years. 

Yet, OFCA maintained that Hong Kong is still “at the forefront” of 5G service launch in the world. To make that claim, they mix up the facts on two fronts. First, spectrum allocation in 2020 does not mean service launch in 2020. It is easy to understand that any company winning an auction would need at least one to two years to build and test their network. It is just the same as the fact that after you win a land auction, you still need time to build your building before the flats can be sold. And that is exactly why other countries are auctioning their spectrum this year — 2018 — in order for services to be reliably launched in 2020 or earlier. 

The other misleading point raised by our regulator is over the differences between the so-called lower frequency spectrum of the 3.5GHz band, versus the higher frequency spectrum of 26 and 28GHz bands. The government plans to make up for the delay in the 3.5GHz auction by saying that the 26 and 28GHz bands will be in abundance and can be made available for auction by as earlier as early next year, and then we will have no problem in 5G spectrum supply. 

Well, we engineers do at least understand some secondary school physics, and we know that not all frequency bands are equal in their physical characteristics. For instance, the higher the frequency, like for the 26 and 28GHz band, the range of distance that can be covered will be shorter, down to around 100 meters, and the penetration power will be much lower than the lower frequency band like the 3.5GHz band. That means, if only the 26 and 28GHz bands are available at first, our telecom companies will have to take a lot more time to build hundreds of times of more base stations around Hong Kong, at ultra close range, and yet those 5G signals may not be able to penetrate concrete walls of our buildings, rendering our initial 5G services to be just an outdoor faster Wi-Fi kind of service! You may not even use it indoor!

That’s why the industry insists that lower frequency bands must also be available for full and effective 5G services, and only gradually transitioning to higher frequency bands. That is what the regulators in the rest of the world seem to agree and are acting on, except Hong Kong. 

We knew from years ago that because the 3.5GHz band had been currently occupied and used by satellite operators, we told the regulator that they must plan our spectrum usage in advance with foresight. Well, instead, they were only finalizing the consultation last month in May. So much for foresight and being in the forefront. Our competitors and even the Mainland had issued directives to vacate these spectrums previously used for other purposes long ago, and we are only doing it now. Why the delay? I have no idea. 

The worst part of it is that because these satellite stations are currently in Tai Po and Stanley, to avoid interference, two huge restricted zones without 3.5GHz 5G services at initial launch will exist in Tai Po, Ma On Shan, and parts of Fanling, Shatin, Sai Kung, as well as Stanley on Hong Kong Island, much like a “5G Twilight Zone.” The government has confirmed to me that these regions cover over at least 740,000 residents, and many more technology developers and engineers like you, John, working in the Science Park or the Chinese University of Hong Kong. So much for those 5G technology labs being planned in our flagship technology region, where our government has invested billions of dollars to conduct leading edge R&D. Just no 5G. 

At an industry forum earlier this month, major telecom players unanimously urged the government to speed up the assignment of the 3.5GHz band, and explore technical measures to reduce the size of the 5G restricted zone, to avoid this 5G planning fiasco from getting worse. 

Unfortunately, our government officials still stick to its “line-to-take” attitude, denying any problems in spite of scientific facts and clear regulatory comparison with other jurisdictions. We engineers just want to help them, help ourselves and help Hong Kong solve the problem. This is a matter of ultimate public interest. But, what can we do when we face a bureaucracy that wouldn’t listen? 

The industry and technical community must continue to state the facts and urge the regulator to speed up the process of bringing the 3.5GHz band to the 5G market. The regulator must stop denying and sit down with the telecom industry and other government departments in good faith to find a solution to deal with the interference issue, including moving these satellite stations eventually but quickly to lesser populated areas. That is the only way for Hong Kong to catch up. 

For Radio Television Hong Kong's Letter for Hong Kong, Jun 24 2018

Wednesday, June 06, 2018

[CWHK] EU GDPR vs Hong Kong's PDPO: Time to update our privacy law?

The EU’s General Data Protection Regulation (“GDPR”) has commenced enforcement on 25 May 2018, marking a new era for global data protection. In the past few months leading up to the enforcement, organisations offering online services have been updating their privacy policies and notifying users to give consent en masse. 

In a sense, the EU has set a new bar for global privacy protection regimes by pushing forward a new set of rules with extra-territorial applications – meaning any Hong Kong organization dealing with personal data of EU citizens may also fall within the rules.

The proliferation of industry practices that track users across the web and through various devices, means the rules that govern it needs to adapt. The revelations from Facebook and Cambridge Analytica incident shows just the tip of the iceberg about the problems of collecting and using personally-identifiable data to create profiles for targeted advertising and analysis. 

Hong Kong has seen more large-scale data breach in both public and private sector affecting hundreds of thousands of citizens. 2 laptops containing more than 3.3 million voters’ personal information such as name, HKID number, and address were reported stolen after the Chief Election Election in March 2017. More recently, the personal data of some 380,000 Hong Kong Broadband Network customers were hacked in April 2018. Three travel agencies became victims to hackers who encrypted their customer database and demanded ransom with cryptocurrency. 

As the government pushes towards “Smart City”, how should Hong Kong’s privacy laws be updated to address issues coming with innovations such as AI, facial recognition, algorithm-driven decisions and cross-border data transfer, to strengthen privacy, security, transparency and accountability? The following is a broad comparison between EU’s GDPR and Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”).


The data protection of the EU stemmed from EC Directive 95/46/EC which governs the protection of personal data in EU. It sets out a series of principles governing the collection, use, disclosure and handling of personal data. Hong Kong’s PDPO was drafted closely based on the Directive.

The GDPR applies directly in EU member states without enacting legislation, while EU member states can still have legislation with exceptions and derogations. The GDPR revises and extends data protection principles and introduces several new rights for data subjects, while includes heavier sanctions on infringing businesses with worldwide operation.

The law needs an update to enable the city to tackle privacy challenges and embrace innovation opportunities brought about by innovation and technology. So how far behind is Hong Kong’s privacy law that was first enacted before the Internet age?

EU GDPR VS Hong Kong PDPO: Major differences

1. Application / territorial scope

According to Article 3 of GDPR, the law applies to all data processing in the context of activities of an establishment of data controller or processor in the EU, such as office, sales representative or business activity directed towards an EU member state, regardless of where processing takes place. It also applies to data processing related to offering goods/services to individuals in the EU, or monitoring individuals in the EU, such as tracking or predicting behavior.

Whereas PDPO of Hong Kong applies to data controllers or processors who, either alone or jointly or in common with other persons, control the collection, holding, processing or use of the personal data in or from Hong Kong. (PDPO s.2(1))

2. Definition of personal data

The GDPR applies to "Personal data" meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

A wide range of personal identifiers constitutes personal data under this definition, including name, ID number, location data. It also includes online identifiers such as IP addresses and cookie identifiers, reflecting changes in technology and new ways personal data is being collected nowadays.

Personal data that has been pseudonymised can also fall within the scope of the GDPR, depending on the difficulty of attributing the pseudonym to an individual.

Hong Kong’s PDPO, however, defines "Personal data" as any data that relates directly or indirectly to a living individual; or from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and in a form in which access to or processing of the data is practicable.

3. Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data” (Article 9). The special categories include genetic data and biometric data where processed to uniquely identify an individual. Criminal conviction and offences data are considered to be more sensitive, and may only be processed in more limited circumstances.

Hong Kong’s PDPO has no special categories for ‘sensitive personal data’.

4. Consent

According to Article 5 of GPDR, consent must be freely given, specific, unambiguous, informed and express (for processing of sensitive data only). Consent given by a child below 16 (or 13) requires parental authorization. 

As for Hong Kong’s PDPO, consent is not required for the collection of personal data (unless for a new purpose). Where consent is also required, consent means express and voluntary consent.

5. Data processors

Data processors (such as third-party vendors or contractors) are regulated by the GDPR. They have additional obligation under the law such as to maintain records of processing, ensure security of processing, report data breaches and designate Data Protection Officers etc. Data controller must have a written contract binding the processor which sets out nature and purpose of processing and contains specified provisions.

In Hong Kong, data processors are not directly regulated but required to mandate compliance to Data Protection Principles by means of contract or other means.

Hong Kong’s PDPO does not directly regulate or mandate obligations for data processors.

6. Breach notifications

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant regulatory authority. This must be completed within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the data controller must also inform those individuals without undue delay.

Hong Kong’s PDPO has no mandatory requirement for breach notification, but recommends reporting to to the Privacy Commissioner and data subjects at the earliest convenience.

7. Right for data subjects

The GDPR provides the more rights for individuals: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated individual decision-making (solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).

Hong Kong’s PDPO has similar rights for data subjects, but there is no right to erasure (otherwise known as the ‘right to be forgotten’), right to data portability and right about decision by algorithm and right to object to processing (including profiling). The notice requirements for data users and controllers are less extensive. 

8. Cross-jurisdiction data transfer

The GDPR imposes restrictions on the transfer of personal data outside the EU, to third countries or international organisations, where certification and adherence to approved codes of conduct are explicit requirement for international transfer. Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR. 

Transfer from EU to non-EU country only permitted if it is necessary for important reasons of public interest; necessary for the establishment, exercise or defence of legal claims; necessary for vital interests of data subject or others; transfer is from a public register or the transfer is not repetitive and is for compelling legitimate interests of controller.

Adequate safeguards may be provided for by a legally binding agreement, binding corporate rules, standard data protection clauses, approved code of conduct, certification, authorized contractual clauses by the supervisory authority.

In Hong Kong, however, section 33 governing cross-border data transfer has never been enforced since the law’s enactment, meaning there is no adequacy decision for Hong Kong. Certification and adherence of an approve code of practice are not legal requirement for transfer. Unlike in GDPR, there is no formal recognition of certification or mechanism demonstrating compliance by data controllers and processors.

9. Accountability and governance

The GDPR takes a risk-based approach, and data controllers are required to put in place appropriate technical and organisational measures to meet the requirements of accountability. 

Hong Kong’s PDPO has not explicitly state privacy management measures and accountability priniciples in the law while the Privacy Commissioner advocates best practices such as appointing data protection officers and conducting privacy impact assessments.

10. Remedies, liability and sanctions

One of the most apparent features that is lacking in Hong Kong’s PDPO is that our Privacy Commissioner has little enforcement power such as imposing penalties, resulting in the reliance on serving Enforcement Notices which may only lead to judicial process if the infringing entity fails to comply and rectify.

The GDPR empowers data protection supervisory bodies to impose fines on data controllers and processors which can amount to as much as EUR 20 million or 4% of the total worldwide annual turnover.

No time to wait: PDPO update 

Hong Kong’s privacy law lacks not only teeth, but updated definitions, obligations and rights for individuals. 

Our data protection law needs to evolve beyond recent, localised amendments. The present PDPO, to put it mildly, is a decade away from ongoing evolved regulation regime in Europe and the rest of the world. 

The government should engage the public in discussions on how the law needs to be amended, and consult academia, civil society groups, technology and innovation sector in thorough debate.

On 3 July, ISOC HK and my office will host an Hong Kong Internet Governance Forum Roundtable to discuss the intersection of evolving internet technology with privacy law, featuring a multi-stakeholder dialogue with civil society, academia, industry and technical community. 

Register here:

Published on Computerworld Hong Kong in June 2018