Changes to Hong Kong’s data protection law discussed by government panel

Data Protection Report - Norton Rose Fulbright

The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the  Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.

Seven Panel members attended the meeting to discuss the Paper and provide their views in respect of the proposed reforms to the PDPO.  Also in attendance was the Privacy Commissioner for Personal Data (the Commissioner) and the CMAB Secretariat. Out of the six reforms proposed in the Paper, those around mandatory breach notification and increased powers to curb doxxing (the disclosure of personal data online without the consent of the target individual) were the focus of the discussion. This is not surprising given the number of high profile data breaches in Hong Kong and the prevalence of doxxing incidents in the past year. The proposals in respect of data retention periods, revenue based fines and the regulation of data processors were not discussed. The Paper received some criticism for only including six proposed reforms, as did the process given that there will be no public consultations in respect of the proposed reforms.

The key takeaways from the Panel discussion are as follows:

  1. There will be no public consultation in respect of the proposed reforms. Some members were critical of the absence of public consultation, however, the CMAB Secretariat and the Commissioner responded that public consultation is a time consuming process, stakeholders have already provided input and due to the major recent incidents, change is needed promptly.
  2. There is general support for changes to the Commissioner’s sanctioning powers. The general consensus was that the Commissioner’s powers are inadequate, referred to as a “toothless tiger”, and there is a need for a strengthening of the powers. The Commissioner used the current issues relating to doxxing as an example, saying that having the ability to impose administrative fines would give a more direct route to enforcement and deter both platform users and platform operators from doxxing. There was no specific discussion regarding the proposal to increase relevant criminal level fines or link fines to an organisation’s revenue and type.
  3. There is general support for the introduction of a mandatory breach notification mechanism. Members were generally supportive of the proposed mandatory breach notification mechanism, but suggested that that the proposed notification threshold is ambiguous and more clarity is required as to what constitutes a “real risk of significant harm”. In addition, members commented on the reporting mechanism and suggested that notifications by way of instant messenger should be considered given the prevalence of usage in Hong Kong. The proposed timeframe of “not more than five business days” for submitting a notification to the Commissioner was not raised by members, but the Commissioner noted that this timeframe is in line with international practice.
  4. A definition is needed for “sensitive personal data” in line with international standards. Members criticized the fact that there is no mention of sensitive personal data including biometrics, facial recognition and DNA. The Commissioner was agreeable to considering such definition and proposing safeguards in line with international standards.
  5. Guidance in respect of cross-border transfers is expected to be released in next six months. Members raised concerns relating to the absence of proposals in respect of the regulation of cross-border data transfers, including enactment of section 33 of the PDPO (which regulates cross-border transfer of personal data but has not been enacted for over 20 years). The Commissioner stated that the consultation process in respect of s.33 is still ongoing and there is no timetable for completion of the consultation or enactment of the section. However, templates and best practice guidelines relating to (i) cross-border transfers between organizations, and (ii) cross-border transfers between cloud processors is expected to be released in the next six months.

In terms of next steps, the Panel meeting made clear there would be no public consultation on the proposals. Therefore, we expect the next step in this process to be the preparation of a draft bill amending the PDPO and its publication in the Government Gazette  in order for the bill to be introduced into the Legislative Council. No indication was given as to the timing of this draft amendment bill, but we will be closely monitoring its progress.

Reflecting on APAC Data Protection and Cyber-security Highlights for 2019 (and what lies ahead!)

Norton Rose Fulbright - Data Protection Report blog

2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.

Continue reading

Discussion paper published on Hong Kong’s data protection law

Written by Partner Anna Gamvros and Associate Libby Ryan, both based in the Hong Kong office.

Earlier this week, the Constitutional and Mainland Affairs Bureau (the CMAB)  released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO). The Paper was released on Monday 13th January, as part of an agenda for the Panel meeting which was held on Monday, 20th January, and follows proposals by the Privacy Commissioner for Personal Data (the Commissioner) to the government to amend the PDPO. The Paper sets out six proposed amendments to the PDPO:

  1. Introduction of a mandatory breach notification mechanism. It is proposed that the mechanism should include:
    1. a definition of “personal data breach” along the lines of the GDPR definition, being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
    2. a notification threshold so the mechanism will only apply to data breaches that have a “real risk of significant harm” taking into account factors such as the type and amount of data leaked and the security level of the data (encrypted or not);
    3. a time frame for notifying the breach to the Commissioner and individuals. An example of, “as soon as practicable and, under all circumstances, in not more than five business days” is included in the Paper; and
    4. details on the method of notification, as well as the content.
  2. Certainty around data retention periods. It is proposed that data users will be required to have clear retention policies. The Paper recognises that it is not practicable to set a uniform retention period applicable to all types of personal data held by various organisations for different purposes. As such, the Paper proposes requiring data users to have in place a clear retention policy that specifies:
    1. a maximum retention period for different categories of personal data collected;
    2. legal requirements that may affect the retention periods (for example, tax, employment and medical regulations); and
    3. how the retention period will be counted. For example, from the date of collection of personal data, or from expiry of a data subject’s membership with the organisation.
  3. Changes to the Commissioner’s sanctioning powers. In order to enhance the deterrent effect of the PDPO and strengthen the Commissioner’s powers, the following changes are proposed:
    1. increasing the relevant criminal level fines and potentially linking the fines to a percentage of annual turnover and a scale which would have different levels of fines depending on the turnover of the data user;
    2. conferring powers on the Commissioner allowing him to directly impose administrative fines for breaches of the PDPO. Such fines should take into consideration a number of factors including the types of data compromised, severity of the data breach, whether the data user intended the breach to happen and its attitude towards the handling of the breach, remedial actions taken, track record etc. Data users should have the right to appeal the fines, and be given appropriate time to do so; and
    3. a mechanism for the imposition of the administrative fine.
  4. Regulation of data processors. The purpose of this amendment is to share responsibilities for data protection between data users and processors, and prevent data processors from neglecting the importance of preventing personal data leakage. Data processors would be held directly accountable for data retention and security, equal obligations would be imposed on data processors and they would be required to notify the Commissioner and the data user upon becoming aware of a data breach.
  5. Amendment to the definition of personal data. Changes to the definition would expand the current definition to include information that relates to an “identifiable natural person”, rather than an “identified person”. This change reflects the wide use of tracking and data analytic technology being used today and is in line with definitions adopted in other jurisdictions.
  6. Regulation of disclosure of personal data of other data subjects. This change is proposed primarily to curb the effect of doxxing of which we have seen an increase recently in Hong Kong. Since 14 June, 2019,  the Commissioner has received over 4700 doxxing related complaints and enquiry cases since 14 June, 2019. Proposed measures include conferring statutory powers on the Commissioner allowing a request to remove doxxing content from social media platforms or websites, as well as criminal investigation powers and prosecution.

These changes are the first changes to the PDPO to be proposed in over 10 years. They are in response to recent data protection related events in Hong Kong and reflective of changes and new laws we have seen in other jurisdictions.

We will closely monitor the discussions around these proposals and will provide an update following the Panel meeting on 20 January, 2020.

State of the Union: CCPA and Beyond in 2020

On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.” Continue reading

The Privacy Officers’ New Year’s Resolutions

Data Protection Report - Norton Rose Fulbright

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself!

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

Continue reading

Turkish Data Protection Board announces extension of VERBİS registration deadline – once again

The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:

  • Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
  • Data controllers located abroad.

Continue reading

Schrems II: AG deems SCCs valid but comes up with difficult new obligations and expresses “doubts” over privacy shield

What has happened?

Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs. Continue reading

Russian Data Localization law: now with monetary penalties

Data Protection Report - Norton Rose Fulbright

On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements.  Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.

Continue reading

Here We Go Again: Another Ballot Initiative for CCPA in 2020

As companies get ready for the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, compliance is complicated because there are still several moving variables:

  • Draft regulations have been proposed but may not be final until after January 1, 2020.
  • The recent amendments to CCPA include two important exceptions (business-to-business (B2B) and the “employee” exceptions) that sunset on December 31, 2020. It is anticipated that amendments to CCPA will be introduced in the California legislature during the 2020 session on these topics and others.
  • A ballot initiative to amend CCPA may be presented directly to California voters. The proposed initiative had originally been filed with the California Attorney General on September 25, 2019, but an amended ballot initiative was received by the Attorney General on November 13, 2019. This version has some potential surprises for companies subject to CCPA.

Continue reading

LexBlog