The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post. Continue reading
2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.
Written by Partner Anna Gamvros and Associate Libby Ryan, both based in the Hong Kong office.
Earlier this week, the Constitutional and Mainland Affairs Bureau (the CMAB) released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO). The Paper was released on Monday 13th January, as part of an agenda for the Panel meeting which was held on Monday, 20th January, and follows proposals by the Privacy Commissioner for Personal Data (the Commissioner) to the government to amend the PDPO. The Paper sets out six proposed amendments to the PDPO:
- Introduction of a mandatory breach notification mechanism. It is proposed that the mechanism should include:
- a definition of “personal data breach” along the lines of the GDPR definition, being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
- a notification threshold so the mechanism will only apply to data breaches that have a “real risk of significant harm” taking into account factors such as the type and amount of data leaked and the security level of the data (encrypted or not);
- a time frame for notifying the breach to the Commissioner and individuals. An example of, “as soon as practicable and, under all circumstances, in not more than five business days” is included in the Paper; and
- details on the method of notification, as well as the content.
- Certainty around data retention periods. It is proposed that data users will be required to have clear retention policies. The Paper recognises that it is not practicable to set a uniform retention period applicable to all types of personal data held by various organisations for different purposes. As such, the Paper proposes requiring data users to have in place a clear retention policy that specifies:
- a maximum retention period for different categories of personal data collected;
- legal requirements that may affect the retention periods (for example, tax, employment and medical regulations); and
- how the retention period will be counted. For example, from the date of collection of personal data, or from expiry of a data subject’s membership with the organisation.
- Changes to the Commissioner’s sanctioning powers. In order to enhance the deterrent effect of the PDPO and strengthen the Commissioner’s powers, the following changes are proposed:
- increasing the relevant criminal level fines and potentially linking the fines to a percentage of annual turnover and a scale which would have different levels of fines depending on the turnover of the data user;
- conferring powers on the Commissioner allowing him to directly impose administrative fines for breaches of the PDPO. Such fines should take into consideration a number of factors including the types of data compromised, severity of the data breach, whether the data user intended the breach to happen and its attitude towards the handling of the breach, remedial actions taken, track record etc. Data users should have the right to appeal the fines, and be given appropriate time to do so; and
- a mechanism for the imposition of the administrative fine.
- Regulation of data processors. The purpose of this amendment is to share responsibilities for data protection between data users and processors, and prevent data processors from neglecting the importance of preventing personal data leakage. Data processors would be held directly accountable for data retention and security, equal obligations would be imposed on data processors and they would be required to notify the Commissioner and the data user upon becoming aware of a data breach.
- Amendment to the definition of personal data. Changes to the definition would expand the current definition to include information that relates to an “identifiable natural person”, rather than an “identified person”. This change reflects the wide use of tracking and data analytic technology being used today and is in line with definitions adopted in other jurisdictions.
- Regulation of disclosure of personal data of other data subjects. This change is proposed primarily to curb the effect of doxxing of which we have seen an increase recently in Hong Kong. Since 14 June, 2019, the Commissioner has received over 4700 doxxing related complaints and enquiry cases since 14 June, 2019. Proposed measures include conferring statutory powers on the Commissioner allowing a request to remove doxxing content from social media platforms or websites, as well as criminal investigation powers and prosecution.
These changes are the first changes to the PDPO to be proposed in over 10 years. They are in response to recent data protection related events in Hong Kong and reflective of changes and new laws we have seen in other jurisdictions.
We will closely monitor the discussions around these proposals and will provide an update following the Panel meeting on 20 January, 2020.
On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.”
To understand the various approaches to CCPA compliance, we reviewed the websites of 50 companies in the Fortune 500® and noticed a few trends:
1. Brace yourself (for export turbulence)
2020 could well be a year of data export turmoil – so brace yourself.
The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).
The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post). Although the AG’s view was that the SCCs are valid, he suggested that those using them would need to examine the national security laws of the data importer’s jurisdiction to determine whether they can in fact comply with the terms of the SCCs. He also raised serious doubts over the validity of the Privacy Shield. If the CJEU shares these doubts, it could influence the outcome of La Quadrature du Net.
Data localisation issues are also set to resurface during 2020. China’s requirements are tricky, the Russian Data Localisation law now has monetary penalties and the draft Indian data protection bill also imposes localisation requirements in certain circumstances.
The Turkish Data Protection Board (“Board”) announced the extension of VERBİS registration deadline until June 30, 2020 for:
- Turkish data controllers with more than 50 employees annually or whose annual total financial statement exceeds TL 25,000,000 (approx. USD 4.2 million), and
- Data controllers located abroad.
This blogpost summarises our recent webinar: “An urgent message from Berlin: The importance of record retention in privacy and cybersecurity”.
What has happened?
Yesterday, the Advocate General (“AG”) concluded that, in his opinion, the EU Standard Contractual Clauses (“SCCs”) are a valid mechanism to transfer personal data outside of the European Economic Area (“EEA”). However, the AG suggested new obligations for those using SCCs. They need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the terms of SCCs. Continue reading
On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements. Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.
As companies get ready for the California Consumer Privacy Act’s (CCPA) effective date of January 1, 2020, compliance is complicated because there are still several moving variables:
- Draft regulations have been proposed but may not be final until after January 1, 2020.
- The recent amendments to CCPA include two important exceptions (business-to-business (B2B) and the “employee” exceptions) that sunset on December 31, 2020. It is anticipated that amendments to CCPA will be introduced in the California legislature during the 2020 session on these topics and others.
- A ballot initiative to amend CCPA may be presented directly to California voters. The proposed initiative had originally been filed with the California Attorney General on September 25, 2019, but an amended ballot initiative was received by the Attorney General on November 13, 2019. This version has some potential surprises for companies subject to CCPA.