Wednesday, September 15, 2021

[Diplomat] The Downfall of Hong Kong’s Privacy Law

Instead of protecting citizens’ privacy, Hong Kong’s latest privacy law amendment is all about anti-doxxing. How did we get here?

Doxxing – exposing previously private personal information to the public without consent, often over the internet – has become a familiar but harmful and irreversible tactic by groups holding a grudge against one another. During the 2019 Hong Kong protests, both sides engaged in doxxing to inflict harms on the other: protesters against the police and their families, and pro-government supporters against the protesters and their supporters.

Complaints from both sides were lodged to the Office of the Privacy Commissioner for Personal Data (PCPD), Hong Kong’s privacy regulator. But in most cases, as most of the exposed content was placed on servers or services outside of Hong Kong, the regulator lacked the extraterritorial jurisdiction to order takedowns.

So, on July 21, the Hong Kong government tabled amendments to the Personal Data (Privacy) Ordinance (PDPO) to deal with doxxing. The bill is expected to be passed by October.

But the reactions from global “big tech” players were quick and negative. The Singapore-based Asia Internet Coalition – an industry group representing major American tech players such as Apple, Amazon, Facebook, Google, LinkedIn, and Twitter – wrote to the Hong Kong government to express its concerns about the law “putting their staff at risk of criminal investigations or prosecutions” for what their users post online. Media headlines flashed around the world that these companies threatened to leave Hong Kong should the new law be passed.

While a complete pull-out is highly unlikely, these companies’ reaction was high-profile enough that the privacy commissioner met with their representatives in an online meeting shortly afterwards in order to assuage their concerns. However, Hong Kong Chief Executive Carrie Lam took a tougher stance, insisting the companies’ worries were unwarranted, and they would be “proved wrong” as the new law takes effect, just as “the national security law did not lead to situations as described by people who smeared it.”

From First to Last

Hong Kong’s PDPO was first passed in 1995, and took effect from December 1996, shortly before the territory’s handover to China. It was proudly one of Asia’s earliest comprehensive privacy protection laws. The establishment of an independent regulator ensured its regulatory decisions would be made at arms’ length from the administration.

This independence was evident in an early investigation into the Xinhua News Agency, China’s de facto representative in Hong Kong prior to the handover. Right after the law’s enactment, an opposition legislator, Emily Lau, requested Xinhua to disclose any records it kept on her. The agency ignored her beyond the legally required period of 40 days to respond. The PCPD investigated, and only then did Xinhua send Lau a one-line reply, claiming that it kept no records on her.

Remarkably, in February 1998, just over half a year after the handover, the PCPD referred the case to Hong Kong’s secretary for justice for possible prosecution, although the secretary decided not to prosecute. That was 23 years ago. At least the regulator seemed to have tried.

Over Two Decades of Inaction

Hong Kong’s government has a tradition of introducing new laws with a “gradual progress” approach, being light-handed at first and refraining from harsh punishments in order to allow those affected, especially the business sector, to “have time to adjust.” The PDPO was no exception. The law lacked a mandatory breach notification requirement; fines for data breaches were low to non-existent, and the regulator had insufficient power to investigate and prosecute.

In the first version of the law, in case of a data breach incident, the regulator could only issue an “enforcement notice,” which directed the entity involved to take remedial steps. If it happened again, all the regulator could do was to issue yet another enforcement notice.

It was only almost 15 years after the law’s first passage, in 2010, that the government proposed and later passed a law imposing a fine of HK$50,000 (US$6,410), or up to two years’ imprisonment, if a firm were still found in violation of the data protection principles after the first enforcement notice had been served. It was still too little and too late.

Other suggestions for updating the law were rejected, including a mandatory breach notification and the introduction of a “sensitive personal data” category – such as biometrics – to enable stricter protection. Instead, to occupy public attention, an “opt-in” procedure against the relatively minor though irritating practice of direct marketing was introduced, with fines for failure to comply. Still, nothing was done about the more serious issue of data breaches, however large in scale.

Hong Kong Left Behind

As Hong Kong fiddled around, other Asian countries passed privacy laws and even updated them, including mandatory breach notifications in Singapore and Australia for certain critical infrastructure providers or government agencies. In 2018, the European Union’s General Data Protection Regulation (GDPR) came into effect. Even China has just passed its Personal Information Protection Law, said to be among “the strictest in the world,” going into effect on November 1, 2021.

It is ironic that Hong Kong firms will have to follow much stricter global and Chinese laws, with their extraterritorial jurisdiction, but can get off easily at home. That means dubious protection for Hong Kong’s citizens.

One of most glaring deficiencies of Hong Kong’s privacy law is its Section 33. Back when the law was passed in 1995, this section on “data residency” – which would limit the transfer of personal data of Hong Kong subjects to outside of its territory – was included, but not enacted. It is quite incredible that after more than 25 years, this section exists “on paper” but is not yet in effect. Hong Kongers’ personal data can still flow to other countries or mainland China with virtually no restrictions.

Then, in 2018, Cathay Pacific, Hong Kong’s flag-carrying airline, lost the personal data of 9.4 million customers to hackers. A huge public outcry ensued. In a hearing in the legislature, legislators including myself lamented that, under the existing law, even if the airline was to be hacked again and fined, the maximum penalty would cost them less than a single business class ticket to the other side of the world.

By comparison, in March 2020, the U.K.’s Information Commissioner’s Office levied Cathay Pacific with a penalty of 500,000 British pounds, the maximum under their law, as the breach affected 111,578 British subjects.

So, finally, the Hong Kong government promised to update the law, and after some delay, in January, 2020, in a paper to the legislature, it made a list of proposed amendments, including establishing a mandatory data breach notification mechanism, introducing an administrative fine linked to the annual turnover of the company whose data was breached, formulating a clearer data retention period for personal data collected, clarifying the regulation of data processors and intermediaries, and updating the definition of personal data.

Sadly, all these suggestions have now just disappeared in the amendment bill, leaving one single issue remaining: doxxing.

Privacy Protection Is More Than Anti-Doxxing

Doxxing is wrong and should not be heralded for any purpose. But, without clear safeguards allowing for the free flow of information, anti-doxxing laws may severely limit journalism, whistleblowing, and the public’s right to know. Equating privacy regulation with anti-doxxing alone, and ignoring everything else needed in a modern data protection regime, is just as irresponsible as doxxing itself. The government may only want to weaponize the privacy law to arm itself with yet another tool against expression of dissent, rather than genuinely protecting people’s privacy.

Also, under the amendment bill, the PCPD will suddenly be transformed from a “toothless tiger” to an agency with unchecked power. A summary offense of disclosing personal data without the subject’s consent will be punishable by a maximum fine of HK$100,000 (US$12,820) and two years’ imprisonment. The higher tier offense of doxxing that causes a broad yet vague list of “specified harms” – “harassment, molestation, threats, intimidation, and physical and psychological injury which could cause a victim to be concerned about their safety or damage to their property” – to the subject or their family members can result in a maximum fine of HK$1 million (US$128,200) and five years’ imprisonment.

The PCPD may conduct searches on service providers’ electronic equipment and order arrests without a warrant, using “reasonable force.” It can request that content be removed from websites hosted outside Hong Kong. If a firm fails to comply, it and its local representatives may face up to HK$100,000 in fines and two years’ imprisonment.

Global tech platforms are right to be concerned. They have seen similar threats elsewhere, like in India, where threats were made about arresting their executives. But smaller local information providers, telecommunications firms, journalists, or just about any average internet users will have even fewer resources to fight the government.

The chilling effects will be immense, leading to even more self-censorship and further erosion of Hong Kong’s freedom of expression. It will not only be another brick in the territory’s new great firewall of internet censorship, but also leave Hong Kong’s privacy protection regime further behind the rest of the world.

Published: The Diplomat, September 15 2021