In the wake of a massive data security breach in 2018, Hong Kong is finally carrying out a much needed overview of it’s PDPO data protection regulation. Relentless Privacy & Compliance outline the upcoming changes and the impact on global businesses.
When the European Union first introduced the General Data Protection Regulation (GDPR) back in 2016, many countries, cities and regions around the world were quick to take notice. Seeing how successfully GDPR was implemented two years later, those same areas sprung into action, revising their own data privacy laws to better reflect and cope with the needs of today’s digital, data-driven economy.
Yet while all this was going on, one region once considered a pioneer in the world of data protection law found itself very much lagging behind. Back in 1996, Hong Kong became one of the first countries in Asia to come up with its own regulations around data privacy. Known as the Personal Data Privacy Ordinance (PDPO), the law was largely considered to be ahead of its time when it first came into force. Yet that was 23 years now. Now, almost a quarter of a century later, the world is a very different place and PDPO, according to many of its much staunch critics, simply fails to reflect that.
Revisions to PDPO
sure, the law has seen the occasional update.
Hong Kong has its own Privacy Commissioner for Personal Data (PCPD), a role currently held by Stephen Wong. The PCPD has a statutory obligation to review the Hong Kong data privacy law, having last done so in 2012.
The result of that review resulted in new restrictions being placed on direct marketers though many people at the time, and especially now years later, have argued that such changes simply weren’t enough to protect the personal data and privacy rights of individuals in modern society. Last year, Wong finally relented and agreed to carry out another review which many hope will result in the changes needed to bring PDPO in line with GDPR and other modern data privacy laws.in
Today, global data protection consultants Relentless Privacy Compliance take a break from helping organisations ensure frictionless compliance with global data privacy laws and take a look at what these changes are likely to be.
Why is the Hong Kong Data Privacy Law Being Reviewed Now?
2018 saw one of Hong Kong’s biggest ever data security breaches as the personal data of some 9.4 million individuals were stolen from airline Cathay Pacific. The privacy breach was the last straw for critics who argued that it served as proof that the current law was no longer fit for purpose. Responding to such criticism, and drawing inspiration from GDPR, Wong admitted that changes were needed and promised to carry out a review.
So far, industry insiders are expecting the review to result in changes to the four main areas in which PDPO fails to hold its own against other international data protection laws.
These four areas are:
1: Data breach notifications
Under GDPR, data processors and controllers are required to report data breaches within 72 hours.
Since updating their privacy laws, many other parts of the world also have similar requirements in place yet so far Hong Kong does not.
Going forward, we should expect to see the rules change so that data subjects affected by a breach will need to be notified within a reasonable timeframe from when the breach occurred.
If your business deals with Hong Kong data subjects then you may want to keep an eye on the Relentless Privacy & Compliance blog or follow us on social media, where we’ll be sure to report on the exact rules that Wong and his team come up with.
In the meantime, consider how your data breach strategies for GDPR can be adapted to PDPO.
2: Non-Compliance Penalties
Incidents such as the Cathay Pacific breach have raised concerns that penalties for non0-compliance are not sufficient enough to motivate organisations into fully protecting the personal data they hold.
At present, if a company fails to protect personal data or falls short of PDPO rules in some other way, then the worst thing that happens is that they receive an enforcement notice ordering them to fix and prevent the issue from happening again.
Only if they fail to act on this notice does the Office of the Privacy Commissioner for Personal Data really hit organisations where it hurts; maximum fines of up to 50,000 HKD (roughly £5,000 GBP) and two years in prison can be issued, though most critics argue that this isn’t enough.
They expect Wong’s team to bring penalties more in line with GDPR, which currently imposes fines of up to 20 million euros or 4% of global turnover depending on which one is higher.
3: Data Processors
Under GDPR, both data processors and controllers have an obligation to comply with the regulations whereas PDPO only currently applies to controllers. Since a large majority of data breaches occur at the processor level many insiders say that this is neither sufficient nor fair.
The upcoming changes are likely to address this by making processors equally accountable.
4: International Data Transfers
Section 33 of PDPO actually prohibits international data transfers except under certain circumstances, which are:
- The recipient country is included in a “white list” issued by the PCPD
- The data user reasonably believes that the recipient country has laws substantially similar to, or which serve the same purpose as, the PDPO
- The data subject has consented to the transfer
- The data controller has reasonable grounds for believing that the transfer is necessary to avoid or mitigate any adverse action against the data subject, and it is not practicable to obtain the data subject’s consent; but if it were practicable, the data subject would provide their consent
- The data user has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be used in a manner inconsistent with the provisions of the PDPO
Yet despite being enacted in 1995, Section 33 has never yet come into operation.
The upcoming review by Stephen Wong is likely to address this by first bringing Section 33 in line with GDPR Articles 44 through 49 which deal with data transfers, and then finally putting it into operation for the first time in the long and troubled history of the Personal Data Protection Ordinance.
Need expert advice preparing for changes to Hong Kong’s data privacy law? Looking for a simpler solution to map all of your current international data protection methods?
Talk to Relentless today about how our global privacy service can help your organisation enjoy frictionless compliance in a way that provides long-term added value. Contact us online to arrange your initial consultation or call now on +44 (0) 121 582 0192