Policy Statement & Submission

1. Guiding Principles

It is important that the Review of the Personal Data (Privacy) Ordinance (PDPO) be guided by the principles listed in the Consultation Document (para 1.06), especially with respect to adequately protecting personal data privacy, and at the same time protecting other interests. Hong Kong's competitiveness, the development of information and communications technologies, and business operations will be adversely affected if an onerous burden and excessive restrictions are imposed on businesses that collect and use customer data.

As a matter of principle, the Government should refrain from adding extra compliance costs on businesses, unless the benefits clearly outweigh the burden. This is particularly important at this time as many companies are still struggling to cope with a difficult economic environment. On the whole, the PDPO has served Hong Kong well. As such, any amendment should only be introduced if there is strong justification for doing so.

A substantial section of the review is dedicated to examining whether the Privacy Commissioner for Personal Data (PCPD) should be given new powers to prosecute and impose penalties, in addition to making certain actions offences. We advise extreme caution on both matters. Expansion of government powers, in addition to the creation of new offences often results in imposing new limits on civil liberties. Consequently, these should only be considered if their need is widely agreed and deemed necessary. Any new offence created under the PDPO will invariably impact the free flow of information. We present our detailed comments addressing this proposal below, but emphasize that the Government should always adopt a prudent approach in contemplating new offences and new powers that may restrict the flow of information. Upholding civil liberties should be a guiding principle in the review.

As noted in the Information Paper on Review of the PDPO, it is recognized internationally that ensuring proper conduct and attitude in the use and protection of personal data privacy best achieved through regulation and education rather than criminal sanctions. The preference for education, rather than criminal sanctions, should therefore also be another guiding principle in the review.

We also do not believe that entrusting prosecution and penalizing powers with the Office of the PCPD is warranted. Nor will increasing the powers of the Office of the PCPD solve all the major problems relating to personal data protection in Hong Kong. The present division of labour between the PCPD and the Police has proven to work well. We cannot see any compelling reason for transferring prosecution powers from the Police to the PCPD. It is also doubtful whether the public would have greater trust in the PCPD than in the Police when it comes to criminal investigation and prosecution. Moreover, recent judicial precedents in Hong Kong have reaffirmed the constitutional principles that the powers to determine criminal liabilities should rest with the courts. We therefore cannot see any justification or possibility for transferring to the PCPD the powers to penalize data users who violate the PDPO.

2. Specific Comments on “Key Proposals”

Proposal No. 1: Sensitive Personal Data
In seeking to afford more protection to data subjects, we should tread carefully in attempting to define what constitutes sensitive personal data. As mentioned in the consultation document, the perception of sensitive personal data is culture-bound and there is no universal agreement on what constitutes sensitive personal data.

The option of classifying biometric data as sensitive personal data may not be the best first step to take towards enhancing protection for data subjects. Technologies are evolving very quickly and it is not easy to define the boundaries of biometric data. An over-generalized definition of biometric data will frustrate or even inhibit innovative applications of biometric technologies in business operations. There have been instances in which technology firms disagreed with the view of the PCPD on whether the use of certain finger feature recognition systems amounted to collecting fingerprints, hence constituting excessive collection of personal data. As a first step, the Government should seek to gain a clearer understanding about the technological and business landscape to avoid making hasty decisions on bringing in additional regulations.

The collection of biometric data, such as fingerprints, iris characteristics and hand contours is not widespread in Hong Kong. By and large, the proposed additional requirements for the handling of sensitive personal data have already been embedded in the PDPO. There is no urgency to introduce new regulations on biometric data and any proposed changes should be the subject of a separate consultation, with full technological and legal analysis to assist stakeholders' discussions.

Although heath-related information is not a subject of this consultation, there are concerns in the business community that more regulations may be imposed in the future on collecting information on employees' health. It is necessary for some businesses to ensure that their employees are in good health in order to protect their customers and the wider public. The processing of health information in the recruitment and ongoing staff management process is therefore a necessary procedure. A High Court decision in 2008 also upheld that a company did not breach the PDPO when it required employees to submit medical records for managing attendance and sick leave. The PDPO has prescribed clear principles on the collection and processing of personal data, and we do not see a strong case for adding extra requirements by classifying health information as sensitive personal data, even if the latter is to become a new category under the PDPO.

Proposal No. 2: Regulation of Data Processors and Sub-contracting Activities
If greater regulation on data processors as subcontractors is needed, we are of the view that the Government should consider imposing specific duties and obligations directly on data processors.

Data subjects expect the same protection of their personal data irrespective of whether their data is held and handled by the primary data user or its processing agent. The law, therefore, should not distinguish between data users and outsourced data processors, and all should be required to comply with the same privacy principles. Imposing direct legal obligations on data processors will be far more effective than relying on data users to impose obligations on their subcontractors through contractual measures. It would be an onerous requirement for primary data users to proactively and continuously monitor the operations of their subcontractors in order to ensure compliance, as it is not uncommon that there are further subcontracting activities along the supply chain.

We appreciate that the Government recognises the potential impact of direct regulation on the fast-evolving Internet-related businesses and the need to avoid inhibiting new services and frustrating the free flow of information on the Internet. In view of the need to maintain flexibility for Internet-related businesses, para 4.19 in the Consultation Document has suggested that as long as Internal-related businesses have adopted a privacy policy, then the obligations under a direct regulation regime should be construed as a requirement to honour the relevant policy terms. While the Chamber supports the broad direction of allowing sufficient flexibility under a direct regulation regime, doubts remain as to what businesses would be classified as “Internet-related.” Further clarifications are needed.

Proposal No. 3: Personal Data Security Breach Notification
Introducing a security breach notification system would impose considerable compliance burdens on businesses. As mentioned in the Consultation Document, the impact of a mandatory privacy breach notification on businesses cannot be underestimated. Voluntary guidelines, on the other hand, would also in effect become mandatory, because businesses would be obliged to join the system to avoid the adverse reputational effects of not signing up. In practice, many companies would promptly take pre-emptive action in the case of a major security breach by notifying data subjects in order to protect their reputation. Reputational pressure has already achieved the effect of driving corporations to behave responsibly. Therefore, we believe there is no urgent need for further guidelines or mandatory requirements.

Prescribing in detail the timing, form, means and contents of breach notifications would be unnecessarily restrictive. It would also be costly for the authorities to monitor and enforce the compliance of the detailed notification requirements.

Proposal No. 4: Granting Criminal Investigation Power to the PCPD
Under the present system, the Police conduct criminal investigations into breaches of the PDPO. As mentioned in the Consultation Document, the present system has been working smoothly and there is no strong case for change.

The PDPC performs two main functions: enforcing the PCPO and helping data users to comply with the PCPO. Giving the PDPC the power to prosecute will confuse PDPC's important role as an enabler of data protection. If the PDPC has the power to prosecute, it will also have the adverse effect of making data users wary of seeking assistance from PDPC.

It has been suggested that the powers of prosecution should be transferred to the PCPD in order to avoid conflicts of interests in case the Police or a Government department is the data user involved in an alleged infringement of the PDPO. We do not agree with this line of argument. The Police Force is organized in such a way that investigation can be conducted properly and impartially, even when a case involves its own officers or other government employees, and that any complaints on alleged partiality will be dealt with according to set procedures.

Proposal No. 5: Legal Assistance to Data Subjects
The PDPO does not empower the PCPD to provide assistance to aggrieved data subjects in respect of civil claims proceedings. Comparison has been made with the Equal Opportunities Commission (EOC) which is empowered by the relevant legislation to assist individuals who want to pursue compensation through legal proceedings. But we do not agree that it is appropriate to compare the PDPO regime with that of the EOC's as they address issues of a very different nature. The use of public funds to assist individuals in pursuing civil claims could only be justified with a strong case, and there has been no strong call in the community for public assistance to aggrieved data subjects, probably because in most cases of security breaches, the damages were not substantial.

Proposal No. 6 Awards Compensation to Aggrieved Data Subjects, and
Proposal No. 10 Imposing Monetary Penalty on Serious Contravention of Data Protection Principle
The two proposals touch on the PCPD's powers in respect of determining civil and criminal liability, and awarding compensation to aggrieved data subjects or imposing monetary penalty on serious contravention of DPPs. The proposals touch on the fundamental principle of separation of powers enshrined in the Basic Law.

We are of the view that, as first recommended in the Law Reform Commission Report in 1994, it is more appropriate for the courts, not the PCPD, to determine compensation. Combining the enforcement and punitive functions of the PCPD is not desirable.

On the other hand, it has been settled in the Final Court of Appeal judgment in Koon Wing Yee that under the doctrine of separation of powers in the Basic Law, only the courts can determine criminal liability. Empowering the PCPD to impose a monetary penalty on serious contravention of DPPs would amount to determining criminal liability by a non-judicial body. And as noted in the Consultation Document, the generic nature of the DPPs also gives rise to questions on whether it is appropriate to empower PCPD to apply fixed penalties on the contravention of DPPs (also see comments on Proposal No. 7 below).

Proposal No. 7 Making Contravention of a Data Protection Principle an Offence
We do not support Proposal No. 7. The Consultation Document has clearly, and rightly, pointed out that the Data Protection Principles (DPP) are couched in generic terms which can be subject to a wide range of interpretations. To make contravention of a DPP an offence would have a significant impact on civil liberties if an inadvertent act or omission could attract criminal liability.

The Consultation Document goes on to suggest a “selective approach” by singling out particular acts or practices as offences, having regard to the severity of such contravening acts or practices. We do not object to this approach as certain activities have already been singled out as offences under current legislation. But we would caution that because every new offence represents a restriction of civil liberties and expansion of government power, criminalization should only be considered when the contravening acts are indisputably serious, and that criminalization is the only and most effective means of tackling the problem.

We do not support the suggestion of introducing a monetary penalty for “failure to comply with the DPPs but limited to breaches that are avoidable and that give rise to a serious data protection risk” (Para 7.4, PDPC's Information Paper on Review of the PCPO), for the same reasons as those stated in our objection to Proposals No. 6 and 10. The courts - not the PCPD -- should impose fines according to the established constitutional principles in the Basic Law.

Proposal No.8: Unauthorized Obtaining, Disclosure and Sale of Personal Data
While we have no objection to this proposal in principle, the Government should look into two issues.

First, it should examine other existing legislation that tackles this issue. One such example is the offences under the Crimes Ordinance related to gaining access to a computer with criminal or dishonest intent. Amendments to the PDPO should only be made for closing loopholes under existing legislation. Amending the PDPO to tackle a problem that is adequately covered by other legislation is a waste of public resources and will create confusion.

Secondly, it is important to ensure that criminal liability will not be imposed on employers or organizations for unauthorized handling of personal data by their employees. A defence should be provided for employers where they have taken reasonable steps to prevent contravention by their staff.

Proposal No. 12 Raising Penalty for Misuse of Personal Data in Direct Marketing
In determining the appropriate penalty for misuse of personal data, the Government should carefully considering how much higher a penalty would need to be set at in order to be a sufficient deterrent. While a maximum penalty of $10,000 may not be an effective deterrent for large companies, a heavier penalty might disadvantage SMEs. However, it may still be insufficient to deter larger enterprises.

Another crucial question, as noted in the Consultation Report, is whether such calls bring serious and material damages to data subjects. Unsolicited marketing calls can be a nuisance, but the material damage may not be substantial. Imposing a heavy fine would therefore be disproportionate.

Last, but not least, if a draconian regime is imposed on direct marketing calls, this could lead to companies scaling down related business activities, which would result in some people losing their job.

Unless the Government can effectively address the above issues, the Chamber does not support raising the penalty.

Direct marketing calls are also regulated by the Office of the Telecommunications Authority (OFTA). We notice that a recent OFTA survey has found that although many people found such calls a nuisance, 13% of respondents said they had benefitted from the calls, and 21% said they had made a transaction as a result of the call. The Government has suggested that nuisance calls should be reduced by voluntary measures, such as a code of practice for major sectors that make frequent use of direct marketing calls. We agree that a voluntary code of conduct is an appropriate measure for the next step.

3. Specific Comments on “Other Proposals” in Annex 1

We wish to comment on a few “other proposals” discussed in Annex 1 of the Consultation Document.

Proposal 13: Third Party to Give Prescribed Consent to Change of Use of Personal Data
While we support the proposal to permit a person to give consent on behalf of a data subject to the change of use of the latter's personal data, we are of the view that “third party” should be strictly defined according to the definition of “relevant persons” in Section 2(1) of the PDPO, as follows:

- Where the individual is a minor, a person who has parental responsibility for the minor;
- Where the individual is incapable of managing his own affairs, a person who has been appointed by a court or otherwise has the legal authority to managing his affairs.

We do not consider it appropriate to expand the definition of “relevant person” as it would be difficult for businesses as data users to verify the identities of a wide variety of third parties.

Proposal 18: Fee Charging for Handling Data Access Requests
We do not consider it appropriate that a maximum fee to access data be set. Presently, data users are charged a fee based on the operation costs of different data users. This also provides a deterrent against frivolous, excessive and irresponsible requests. Setting an across-the-board maximum fee will remove this flexibility of the PDPO and impose additional burdens on businesses. There is already a safeguard in the PDPO against excessive fees for accessing data. The PCPO may take action should the fee be deemed to infringe upon DPP 6.


- End -