The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.
Seven Panel members attended the meeting to discuss the Paper and provide their views in respect of the proposed reforms to the PDPO. Also in attendance was the Privacy Commissioner for Personal Data (the Commissioner) and the CMAB Secretariat. Out of the six reforms proposed in the Paper, those around mandatory breach notification and increased powers to curb doxxing (the disclosure of personal data online without the consent of the target individual) were the focus of the discussion. This is not surprising given the number of high profile data breaches in Hong Kong and the prevalence of doxxing incidents in the past year. The proposals in respect of data retention periods, revenue based fines and the regulation of data processors were not discussed. The Paper received some criticism for only including six proposed reforms, as did the process given that there will be no public consultations in respect of the proposed reforms.
The key takeaways from the Panel discussion are as follows:
- There will be no public consultation in respect of the proposed reforms. Some members were critical of the absence of public consultation, however, the CMAB Secretariat and the Commissioner responded that public consultation is a time consuming process, stakeholders have already provided input and due to the major recent incidents, change is needed promptly.
- There is general support for changes to the Commissioner’s sanctioning powers. The general consensus was that the Commissioner’s powers are inadequate, referred to as a “toothless tiger”, and there is a need for a strengthening of the powers. The Commissioner used the current issues relating to doxxing as an example, saying that having the ability to impose administrative fines would give a more direct route to enforcement and deter both platform users and platform operators from doxxing. There was no specific discussion regarding the proposal to increase relevant criminal level fines or link fines to an organisation’s revenue and type.
- There is general support for the introduction of a mandatory breach notification mechanism. Members were generally supportive of the proposed mandatory breach notification mechanism, but suggested that that the proposed notification threshold is ambiguous and more clarity is required as to what constitutes a “real risk of significant harm”. In addition, members commented on the reporting mechanism and suggested that notifications by way of instant messenger should be considered given the prevalence of usage in Hong Kong. The proposed timeframe of “not more than five business days” for submitting a notification to the Commissioner was not raised by members, but the Commissioner noted that this timeframe is in line with international practice.
- A definition is needed for “sensitive personal data” in line with international standards. Members criticized the fact that there is no mention of sensitive personal data including biometrics, facial recognition and DNA. The Commissioner was agreeable to considering such definition and proposing safeguards in line with international standards.
- Guidance in respect of cross-border transfers is expected to be released in next six months. Members raised concerns relating to the absence of proposals in respect of the regulation of cross-border data transfers, including enactment of section 33 of the PDPO (which regulates cross-border transfer of personal data but has not been enacted for over 20 years). The Commissioner stated that the consultation process in respect of s.33 is still ongoing and there is no timetable for completion of the consultation or enactment of the section. However, templates and best practice guidelines relating to (i) cross-border transfers between organizations, and (ii) cross-border transfers between cloud processors is expected to be released in the next six months.
In terms of next steps, the Panel meeting made clear there would be no public consultation on the proposals. Therefore, we expect the next step in this process to be the preparation of a draft bill amending the PDPO and its publication in the Government Gazette in order for the bill to be introduced into the Legislative Council. No indication was given as to the timing of this draft amendment bill, but we will be closely monitoring its progress.