The Government is planning to put forward to LegCo major changes to strengthen the Personal Data (Privacy) Ordinance (PDPO). This article examines the implications of the Government’s main proposals – which were presented to the LegCo Panel on Constitutional Affairs in January – for Hong Kong businesses.
Significant increase in the Commissioner’s enforcement powers
Currently, the Commissioner Ada Chung, who took up the post last month, cannot herself impose penalties for a contravention of the PDPO – only the Hong Kong courts can do so.
Moreover, for most contraventions, the Commissioner cannot directly prosecute the case in court, asking the court to impose penalties. The Commissioner must first issue an “enforcement notice” directing the business concerned to alter its conduct. Only where an enforcement notice is breached can the Commissioner go to court seeking a penalty. The main exception to this is the PDPO’s restrictions on direct marketing, where the Commissioner can go to court directly if there is a contravention.
The Government is proposing amendments that would change both of these things:
- The Commissioner would be able to impose penalties herself, and would no longer need to ask the court to do so; and
- The Commissioner would no longer need to go through the intermediate step of issuing an enforcement notice, but could determine directly that there has been a contravention, in itself justifying a penalty. Effectively, the business would not need to be given a chance to remedy the breach, before a penalty was imposed.
Significant increase in penalties
Currently, the maximum penalties that can be imposed for a contravention of the PDPO rules are relatively modest by international standards. For most contraventions, the maximum penalty is HK$100, 000, or imprisonment for up to two years (the penalties are higher for breach of the direct marketing rules).
The Government proposes to increase the maximum financial penalty. The amount of the increase has not yet been specified, but the Government has referred to the E.U.’s General Data Protection Regulation, where the maximum financial penalty is HK$178 million (equivalent) or 4% of global turnover, whichever is higher. This is a hugely higher sum than the current maximum level. It seems clear that a substantial increase in the maximum financial penalty is being considered.
Whether the Government will also propose an increase in the maximum term of imprisonment remains to be seen.
Mandatory notification of data security breaches
Currently, if there is a data security breach (essentially, a leak of personal data) the business has no obligation to notify either the individual or individuals concerned, or the Commissioner. Under the Government’s proposals, notification to both would be required, if there is a “real risk of significant harm” to the individuals concerned.
Mandatory data retention policy
One of the data protection principles in the PDPO is that personal data, whether it concerns customers or employees, should be retained no longer than is necessary for the purpose of which it was acquired. Although it is good compliance practice for businesses to have in place a policy for the retention of personal data, including maximum periods for retention, this is not currently a legal requirement. The Government proposes to change this position, and make it mandatory for businesses to have in place, and make available to the public, its data retention policy, including maximum periods for retention.
Direct Liability of Third Party Data Processors
Businesses that acquire personal data (data users) may often wish to share that data with, or transfer it to, third parties. For example, this may be for the purpose of conducting a joint marketing programme with the third party, or entrusting the third party with storage of its customers’ personal data. In the language of the PDPO, these third parties are called “data processors.”
Currently, if there is a breach of the PDPO, responsibility for the breach falls exclusively on the data user, even if the fault lies with the data processor. Under the Government’s proposal, the data processor could be held directly liable for a breach which it caused, instead of (or in addition to) the data user. Data processors will therefore have a greater incentive than at present to ensure the protection of personal data.
If the Government’s proposals are endorsed by LegCo, this will mean a significant strengthening of the PDPO, and will greatly increase the risks of non-compliance. It will be even more important than previously for businesses to have in place a proper data privacy compliance programme. The full details of the Government’s proposed legislation have not yet been finalised or published, but businesses would be well advised to monitor the development of the legislation, and take any appropriate compliance steps.