Hong Kong's privacy commissioner eyes EU data-protection regulation amid extensive review
By Phoebe Seers. 29 August 2017.
Hong Kong Privacy Commissioner Stephen Wong has kept his eye firmly on the EU's General Data Protection Regulation, or GDPR, amid an extensive review of the data-protection regime in Hong Kong. His observations, expected to point to considerable shortfalls between Hong Kong and EU law, are set to be announced next month, with recommendations on changes to the city's law to follow shortly after.
Issues around meaningful consent, sanctions and mandatory accountability and governance provisions have risen to the top of the reform agenda, and the infamous Section 33 of Hong Kong's privacy law continues to fall under scrutiny.
"Our law, when it was enacted in '95, was based on the EU directive of '95 among others…So it is appropriate for us when the EU is changing its regulations that we should also have a review of our law," Wong told MLex in a telephone interview.
Europe is Hong Kong's second largest trading partner, and because a non-EU organization can fall within the scope of the GDPR when it offers goods or services to individuals in the EU, the impact of the GDPR — which goes into effect in May 2018 — on Hong Kong businesses is expected to be significant. The commission will issue guidelines to businesses with an EU nexus shortly.
Offering a website available in French or German, or goods that could be paid for in euros, will likely draw attention, as will businesses that monitor the behavior of individuals residing in the EU. It doesn't matter that the goods or services are not paid for.
While it seems that many businesses across Asia are laboring under the illusion that the GDPR doesn't apply to them, or won't be enforced against them, businesses in Hong Kong might get a shock next month when Wong announces the findings of a review his agency has undertaken of Hong Kong's current Personal Data (Privacy) Ordinance law compared to the GDPR.
Consent is a topical issue. In Hong Kong, except for marketing purposes, businesses don't need consent when collecting data — they merely need to provide notice of what they're collecting data for, although if the company later decides to use the data for a purpose that was not notified, it needs to obtain consent.
Under the new EU law, not only is consent usually required, it must also be freely given, specific, informed and unambiguous, and by a clear affirmative action. Silence cannot be consent, and there is a prohibition on "bundled" consents and the offering of services that are contingent on consent to processing. Sensitive data requires "explicit" consent.
"It seems to me the current law on consent needs to be reconsidered," Wong said. He noted complaints his agency had received that when consent had been sought, individuals were told they would not have access to the services without providing it, or they said they had not meant to provide the consent.
"That is not meaningful. Data subjects should have a realistic choice," he said.
A key concern with the GDPR is liability and the incredible potential fines, Paolo Sbuttoni, a partner in Baker McKenzie's IT and communications practice in Hong Kong, told MLex. Except for direct marketing offences, the fines Hong Kong authorities can issue are low — HK$100,000 (US$12,780) — compared to 20 million euros (US$24 million) under the GDPR.
Hong Kong's law is principle based — it sets out the effects to be achieved but is not prescriptive as to how to meet the requirements. There are six key principles that "data users" — the local version of the EU "data controller" — have to abide by. Where a data user is accused of breaching one of the principles, the Privacy Commissioner will investigate and can issue an enforcement notice to rectify any practices. It's only when there is failure to comply with the enforcement notice, which is a criminal offence, that penalties can be applied — a HK$100,000 maximum fine and two years' imprisonment.
While penalties for direct marketing offenses are higher, a fine of up to HK$1 million and 5 years' imprisonment, so far they have in practice all been low — HK$5,000 to HK$30,000 — for breaches involving limited amounts of personal data, Sbuttoni said. There is a likelihood of higher fines for cases involving large amounts of data, he said, but that has not yet happened.
The maximum fines available under the GDPR — specifically, the higher of 20 million euros or 4 percent of annual global turnover — could be fatal to a company. Moreover, the EU system provides for administrative sanctions.
"In Hong Kong, we have no power to impose administrative sanctions and our statutory fines are too low. There's no deterrent effect in certain circumstances," Wong complained.
Mandatory accountability and governance provisions in the GDPR are also being considered in light of a repurposed regime.
In the EU, the law will require data controllers to implement technical measures to build privacy by design and to conduct compulsory data-protection impact assessments, among a basket of other new measures. There are no equivalent mandatory provisions in Hong Kong. The privacy commissioner can only highly recommend businesses follow a top-down approach to implementing privacy and accountability.
"We are considering if it would be appropriate to have a policy change in this area," Wong said.
Wong is expected to share the observations of his review at the International Conference of Data Protection and Privacy Commissioners hosted by Hong Kong next month. If he has recommendations to make to the government, they will follow shortly, he said.
"I'm trying to persuade organizations and enterprises that giving control of personal data back to individuals is good, not only to increase their trust, but also for business. They're starting to understand," he said.
With Section 33 of Hong Kong's law — the provision that regulates cross-border data transfers, enacted in 1996 but as yet still inoperative but under review — the government has been wary of adopting measures that it said would stifle legitimate business operations or unfairly impact small- and medium-sized enterprises. Hence, implementation of Section 33 continues to be deferred.
At this stage, it is unclear how businesses and the government would react to the raft of reform measures that might be recommended.
However, across the world, data-protection regimes are being tightened. In the future, it is possible that the lack of an adequate data-protection regime could impede trade routes and place Hong Kong businesses at a disadvantage compared to their global competitors.