The European Union adopted the General Data Protection Regulation (GDPR) with much fanfare on 25 May 2018. The GDPR applies, not just in the 28 (until Brexit) E.U. member states, but also to Hong Kong-based companies that: 

• have an “establishment” (e.g. an office) in the E.U.; or 
• process the personal data of individuals within the E.U. for the purpose of offering goods or services to them (whether or not for payment) or monitoring their behaviour, e.g. via targeted advertising, credit card transaction processing or location tracking via mobile applications or devices.

Many Hong Kong-based companies and other organizations such as universities may therefore be caught by the GDPR rules without being aware of it. The mere fact that such businesses are not physically located in the E.U. would not prevent E.U. regulators from imposing penalties on them if they should infringe those rules.

In fact, Article 27 of the GDPR requires organizations located outside the E.U. that nevertheless fall within its rules in one of the two ways set out above to have a representative (which can be an external advisor such as a lawyer) inside the E.U. to act as the contact point with local enforcement agencies and customers.

The GDPR is therefore highly relevant for Hong Kong businesses. In the lead-up to the new regulation, many had noted its provisions for eye-watering fines of up to  20 million euro (HK$175 million) or 4% of global group turnover, whichever is higher.

Data protection, it was said, would progress from being the preserve of geeks in the IT department to a major board issue.

This conviction was strengthened by fears on the part of many commentators about the rise of “big data” and its scope both for intrusion into the personal lives of individuals and manipulation of the political process. This fear was seemingly confirmed by various scandals involving the use of data analytics by the “Leave” campaign during the Brexit referendum in the United Kingdom.

Since then, in the U.K. at least, the reality initially failed to live up to the hype. The Office of the Information Commissioner (ICO) did not impose a major fine on any organization for a breach of the GDPR in the year following its entry into force.

There may have been several reasons for this – including the somewhat embarrassing one that many of the worst offenders are public sector bodies, such as local authorities, hospitals and the police. Nevertheless, in these days of austerity in the U.K., it would not be surprising if the ICO were reluctant to increase the financial strain on public bodies by imposing significant fines on them.

Another reason for the apparent lack of activity may be a more admirable one of ensuring that the legal rights of organizations to put forward a defence are respected. Investigations under data protection law take time to complete, so the cases being reported in the year following the introduction of the GDPR actually related to breaches committed under the previous data protection regime, where the maximum fine was only GBP 500,000 (less than HK$5 million).

However, any feeling of anti-climax must surely have been banished with the announcement by the ICO on 8 July that it intends to fine British Airways (BA) a massive GBP 183.38 million (HK$1.788 billion) for an alleged breach of the GDPR. A day later, the ICO followed up by announcing that it intends to fine the hotels group Marriott International GBP 99 million (HK$965 million).

The proposed fine on BA relates to a breach of security that came to light in September 2018 and which appears to have involved the diversion of user traffic from the BA website to a site run by fraudsters.

The hackers are said to have “harvested” the personal details of approximately 500,000 customers, including their name and address, travel plans and, most worryingly, credit card details. The security breach is believed to have begun in June 2018.

Although the ICO’s statement does not specifically identify the breach of the GDPR allegedly committed by BA, it seems likely to have involved a breach of the requirement set out in Article 5(1)(f) of the GDPR to process personal data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised processing and accidental loss, destruction or damage, using appropriate technical and organisational measures”. 

Commenting on the case, U.K. Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The proposed fine on Marriott is also for an alleged cyber attack, which is said to have resulted in the credit card details of 500 million customers worldwide being compromised. In this case, the fault seems not even to have been Marriott’s but that of a company, Starwood Hotels, that it acquired after the attack had occurred. This underlines the need for companies considering an acquisition to carry out thorough due diligence on the intended target.

According to the GDPR provision for penalties, the maximum fine on BA could potentially have been well over GBP 450 million (HK$4.38 billion). The proposed fine amounts to “only” 1.7% of BA’s global revenues in the relevant year, so arguably, it is being treated leniently. Marriott may similarly also consider itself “fortunate.”

This may be because both companies: (i) cooperated with the ICO investigation; (ii) have subsequently made improvements to their cyber security arrangements; and (iii) self-reported the breach to the ICO, as required by Article 32 of the GDPR. Had these three factors not applied, the proposed fines could well have been even larger.

It should be borne in mind that the ICO has not yet reached its final decision in either of these cases and both BA and Marriott will have the opportunity to make representations to the ICO as to the proposed findings and sanctions. The data protection authorities of other countries will also have the opportunity to make their views known.

Hong Kong residents may note that these cases bear similarities to the data leak reported by Cathay Pacific in October 2018, which is said to have involved the loss of personal data relating to over 9.4 million passengers.

Public statements relating to the Cathay case suggest that it has been in dialogue with data protection regulators within the E.U. as to whether that leak is caught by the GDPR. It may be that, because it apparently first occurred in March 2018 (i.e. before the entry into force of the GDPR), Cathay has avoided BA’s fate. If so, it may consider itself very fortunate indeed.

Nevertheless, according to the ICO’s Annual Report for 2018-2019, published on 8 July, this case remains under investigation – so Cathay may not be out of the woods just yet.

Not surprisingly, media reports suggest that Cathay is now investing heavily in improved cyber security and has appointed a Data Protection Officer to oversee compliance with the GDPR and other data protection rules, including the Hong Kong Personal Data (Privacy) Ordinance.

However, regulatory fines are not the only consequence of data protection breaches.

Customers that have suffered loss, for example through fraudulent use of leaked credit card details, have a right to sue the company responsible for damages. The combined cost of class litigation actions on behalf of such customers can equal, or even exceed, the value of regulatory fines.

And of course, the reputational loss – as customers consider whether to entrust their precious personal details to organizations found to have fallen short in the past – can be even greater.

All in all then, compliance with data protection laws must take centre stage for businesses in Hong Kong as elsewhere, and organizations need to actively manage their relationships with all key stakeholder groups, including regulators, staff and customers.

For non-E.U. based organizations, including those in Hong Kong, awareness-raising among management and staff should be the starting point. Those organisations operating within the E.U. or engaging with E.U.-based customers should bear in mind the requirement to appoint a local representative in particular.