Hong Kong data protection paper offers roadmap to reform

The PDPO was a state of the art piece of legislation when drafted in 1996. Despite some narrow reforms of the PDPO in areas such as direct marketing and unauthorised disclosure of personal data in 2012, broader modernisation of the framework is now required to ensure the law better reflects the age of the smartphone, the use of new technologies like big data analytics and systems that automate decision making, and addresses the risk of data breaches and misuse of personal data in the digital world.

With policymakers moving to update data protection laws in other jurisdictions in recent times – perhaps most notably in the EU with the General Data Protection Regulation (GDPR) – it is encouraging that the Constitutional and Mainland Affairs Bureau of the Hong Kong government issued a discussion paper on a review of the PDPO on 20 January, seeking feedback from Hong Kong's Legislative Council on new amendments to the PDPO.

What the new amendments involve

The discussion paper acknowledges recent data breaches in Hong Kong, and notes the rapid development of new technologies which have driven the increased collection and processing of personal data. A number of amendments to the PDPO are proposed in response. These include:

• Mandatory data breach notification: at present, the PDPO does not require a data user – which is the PDPO's equivalent term for a 'data controller' in Hong Kong – to notify the Office of Privacy Commissioner for Personal Data (PCPD) or the data subject in the event of a data breach. This is a stark contrast to other data protection regimes where mandatory breach notification is quickly becoming the norm. The discussion paper proposes that a mandatory notification mechanism should be introduced in Hong Kong.
• Data retention period: at present, the PDPO simply states that data users should not retain personal data longer than is necessary. The discussion paper proposes to add details to this, by requiring data users to formulate a clear retention policy, which in turn must specify a retention period for personal data collected. The retention policy must then be clearly communicated to the data subjects in organisations' privacy policies.
• Tougher sanctions: the level of fines that can be imposed under the PDPO are relatively low and are generally capped at HK$100,000 (US$12,800) save in certain cases such as where there has been an abuse of direct marketing rules or where there has been disclosure of personal data obtained without consent. In addition, fines are rarely imposed in practice. If a data protection principle is breached, for example, by the data user not providing a privacy policy, the first step towards enforcement is for the PCPD to issue an enforcement notice. Only when that notice is not complied with do fines and potential imprisonment follow. The discussion paper proposes increasing the fines under the PDPO by pegging them to a data user's global annual turnover in a manner not dissimilar to the GDPR, dispensing with the need to first issue an enforcement notice and empowering the PCPD to directly issue administrative fines. It also suggested a broader range of factors that the PCPD should consider when imposing fines.
• Increased regulation of data processors: the PDPO at present only requires data users to adopt contractual means to ensure that data processors adopt measures to ensure the safety of personal data. Beyond that, the PDPO does not directly regulate the activities of data processors. The discussion paper proposes to increase direct regulation of data processors, by making them directly accountable for breaches and subjecting them to the same breach notification requirements as data users.
• Expanding the definition of 'personal data': the PDPO currently defines 'personal data' as being in relation to an "identified" person; the discussion paper proposes to expand this to refer instead to an "identifiable" person. This may seem like a small change, but the effect actually is to broaden the definition of 'personal data' to catch a broader number of uses – for example, in big data analytics, where the identity of data subjects can be pieced together from the use of data which in isolation and absent powerful algorithm-driven processing can appear innocuous.
• Anti ‘doxxing’ measures: recent events in Hong Kong have seen a number of widely-reported ‘doxxing’ incidents. ‘Doxxing’ refers to the malicious practice of making someone’s personal information available so that the person can be more easily targeted by others. Whilst prohibitions on doxxing already exist in section 64 of the PDPO, which prohibits the disclosure of personal data without the data user's consent, the discussion paper notes that studies are ongoing as to how to more effectively curb doxxing. This is an exceptionally hot topic in Hong Kong, and details of changes to the law are still forthcoming. However we can expect significant fines and criminal liability in doxxing cases.

If these amendments seem familiar, they are – many of these proposals reflect GDPR provisions that have come into effect, and, indeed, the discussion paper itself acknowledges that it has referred to the GDPR and other comparable jurisdictions in formulating its proposals. The reference to GDPR is to be welcomed. We see no reason why data subjects in Hong Kong would have a lower expectation for the protection of their personal data when compared with data subjects in the EU. Furthermore, Hong Kong's largely globalised economy could benefit from having less divergence between the PDPO and comparable legislation overseas – such as the GDPR.

The discussion around anti-doxxing measures is perhaps more topical to Hong Kong than in other jurisdictions. The discussion paper indicates that the Constitutional and Mainland Affairs Bureau is "deeply concerned" about the significant volume of doxxing cases recently reported in Hong Kong. There have been more than 4,700 doxxing-related cases identified by the privacy commissioner since 14 June last year. More than 1,400 of those cases were referred to the police for further investigation, and there have so far been eight arrests. Actions taken to address the problem thus far include the privacy commissioner requesting the removal of more than 2,500 links from online platforms and that the platforms publish warnings that doxxing might constitute a breach of the PDPO, while  the Hong Kong government has also gone to court in a bid to stop doxxing targeted at police officers.

Anti-doxxing measures in any jurisdiction and at any time are to be welcomed. Given the rise in doxxing cases over the past few months in Hong Kong, the current round of proposed amendments for the PDPO seems the appropriate time to deal with the problem.

What else might we expect to see?

As comprehensive as the discussion paper is, it is only the first step in a long journey to updating the PDPO. We do not yet know how the Legislative Council Panel on Constitution Affairs will respond to the discussion paper, nor how the broader community and the relevant stakeholders will receive it. Nevertheless, we can expect three issues to surface as the discussion paper gains traction:

• Regulations on cross-border transfers of personal data: under section 33 of the PDPO, a data user is prohibited from transferring personal data outside of Hong Kong unless a series of conditions or exemptions are met – for example, by securing the data subject's informed consent or by demonstrating that the destination jurisdiction for the personal data contains adequate data protection laws of its own. However, section 33 is not currently in force in Hong Kong, and there is no timetable for it to come into force. While the discussion paper does not refer to section 33, we think it is only a matter of time before the issue is raised. Regulations on cross-border transfers are important for protecting data subjects and by now a widely acknowledged norm in a variety of data protection legislation across the world. Hong Kong remains an outlier for not enforcing similar restrictions.
• Measures that target the use of automated decision-making and profiling: the use of artificial intelligence for data processing has become increasingly common - and while convenient, such automated processing of data can give rise to ethical concerns such as whether decisions generated by automated processing are procedurally sound, sufficiently transparent or explainable, particularly when such decisions affect the rights, freedoms and interests of data subjects. Article 22 of the GDPR takes the first steps in addressing this issue by providing data subjects with a right not to be subject to a decision based solely on automated processing, including profiling. Given the strength of data-hungry innovations such as fintech, infratech and smart cities in Hong Kong, we can expect measures dealing with automated decision-making would be relevant in the city too. Addressing these issues in amendments to the PDPO would reassure data subjects and provide regulatory certainty to data users.
• A greater focus on 'consent': an important issue dealt with by the GDPR is ‘consent fatigue’ - to put simply, the tendency of data subjects to simply click ‘accept’ and consent to use of their personal data without carefully scrutinising the relevant terms or policies. The legal standard for 'consent' under the GDPR is high. It, for example, places restrictions on consent bundling and an emphasis on the need for consent to be granular. The GDPR also provides alternative legal bases for the collection and processing of personal data, such as by reference to contractual obligations between the parties and by reference to the legitimate interests of the data controller. Since ‘consent fatigue’ is not an issue exclusive to the EU and can be every bit as applicable in Hong Kong, we would likewise welcome discussions as to how the PDPO should provide greater detail on the use of consent going forward.

Engagement is important

It will take time for the discussion paper to be developed into a set of concrete amendments for the PDPO. The proposed amendments provide a valuable opportunity to update Hong Kong's data protection laws both to reflect international standards, and to apply the lessons learnt in the implementation of other data protection laws elsewhere in the world. For data users, there is much to be gained in being well informed on the changes to the PDPO – both by contributing to the consultation process and in being well-prepared to respond operationally to such changes.

Paul Haswell, Jennifer Wu and Thomas Ho are Hong Kong-based experts in data protection law at Pinsent Masons, the law firm behind Out-Law.