Introduction
The Personal Data (Privacy) Ordinance ("PDPO") has been in effect since the end of 1996. Since that time, it has not been amended and there have been no significant studies or consultation exercises concerning its use and impact in Hong Kong.
On 28 August 2009, the Hong Kong Government announced a major consultation exercise during which a wide range of issues will be considered and a number of proposals to amend the PDPO vetted. To this end, the Government has published the Consultation Document on Review of the Personal Data (Privacy) Ordinance (the "Consultation") to invite public views on the proposals. The Consultation is being conducted by the Constitutional and Mainland Affairs Bureau ("Bureau"), with the support of the Privacy Commissioner for Personal Data ("PCPD").
To assist clients to digest the proposals, we summarize the main points below.
Proposals
●
Sensitive personal data. Unlike a number of other jurisdictions, Hong Kong does not require data users to treat "sensitive" personal data any differently than ordinary personal data. In other jurisdictions, "sensitive" data may include biometric data, health information and information pertaining to an individual's personal, philosophical or religious beliefs. The Consultation notes that there is not a consistent definition of "sensitive" across jurisdictions, and Hong Kong will need to consider this carefully in light of cultural issues.
The Consultation considers whether to subject sensitive personal data to more stringent protection and, if yes, how to do so. A new regulatory model is proposed which prohibits handling of sensitive data except in limited circumstances (e.g. where there is consent, in legal proceedings, for medical purposes, etc). The proposed regulatory model also considers whether criminal sanctions are appropriate for improper handling of sensitive data or whether the existing regulatory regime should simply be extended. The Consultation recognises that transitional provisions will be necessary if this proposal is taken forward.
●
Data security. The PDPO does not presently regulate acts of an agent processing personal data ("data processor") for a data user nor does it contain any requirements for a data user to notify the PCPD following a data leakage incident. This chapter of the Consultation proposes ways to improve data security with respect to these issues.
Data Processors. The Consultation considers whether additional obligations should be imposed on data users and/or whether obligations should be imposed directly on data processors. Obligations on data users would include ensuring that a data processor keeps data secure, does not misuse data and deletes data when it is no longer required by it. This would be indirect regulation of data processors. In addition, a direct regulatory model is being considered where data processors themselves would be responsible for ensuring data is:
(a) only used for the purpose for which it was provided to them;
(b) secure and safeguarded; and
(c) erased once no longer required.
Data leakage notification. The Consultation proposes a voluntary regime for notification of loss or leakage of personal data. The voluntary notification mechanism would require a data user to notify the PCPD within five days of a breach and to consider whether individuals should be notified, taking into account the potential harm caused by the breach.
● Enforcement powers of the PCPD. The PCPD presently has powers to investigate suspected contraventions of the PDPO, issue enforcement notices and inspect personal data systems. This chapter of the Consultation considers additional enforcement powers for the PCPD.
Criminal Investigation and Prosecution Power. These powers permit the PCPD to enter premises and summon witnesses for the purpose of gathering evidence. However, the PCPD does not have the power to search for or seize evidence. Further, while the PCPD has the power to issue enforcement notices, it does not have the power to conduct criminal investigations or to initiate criminal prosecutions. Upon being provided with evidence by the PCPD, the Police conduct criminal investigations under the PDPO and prosecutions are initiated by the Department of Justice. The Consultation proposes that the PCPD be conferred with the power to investigate and prosecute offences, and to search for and seize evidence, to save time in referring matters to the Police.
Legal assistance to data subjects. Data subjects who suffer damage by reason of a contravention of the PDPO are entitled to make a civil claim for compensation. This right has seldom been invoked, possibly due to the costs of legal proceedings. The Consultation proposes to amend the PDPO to grant the PCPD the discretion to provide legal assistance to aggrieved data subjects who intend to seek compensation in legal proceedings.
Power to award compensation to aggrieved data subject. In light of the fact that individuals rarely make claims for civil compensation under the PDPO, the Consultation seeks views on an alternative proposal to empower the PCPD to determine the amount of compensation payable to an aggrieved data subject in order to avoid lengthy and costly legal proceedings.
● Offences and sanctions. Given recent highly publicised personal data leakage incidents, questions have been raised as to whether the existing sanctions provided for under the PDPO are adequate to achieve a deterrent effect. This chapter of the Consultation proposes amendments to the offences and increases to the sanctions. These include:
1. making it an offence to:
(a) contravene a Data Protection Principle ("DPP");
(b) repeatedly contravene a DPP by engaging in the same practice for which an enforcement notice has previously been issued; or
(c) disclose, for profit or for malicious purposes, personal data obtained from a data user without consent;
2. imposing heavier penalties for continuing to use personal data for direct marketing activities where the data subject has previously "opted out" of such use of their personal data;
3. empowering the PCPD to impose monetary penalties for serious contraventions of the DPPs; and
4. imposing heavier penalties for second or subsequent convictions for contravening an enforcement notice.
Proposals for comments. This section of the Consultation sets out a summary of the key proposals for comments. It also sets out a summary of the proposals which the Bureau does not plan to pursue, as well as minor technical and operational amendments.
Annex 1 – Other proposals
Annex 1 contains other proposals which will have a considerable impact on the community. These include:
1. protecting disputed data from discovery in legal proceedings against the PCPD (i.e. against a decision of the PCPD that the data subject is not entitled to the data) where the data has come into the possession of the PCPD during an investigation;
2. permitting data users to refuse to comply with data access requests on the ground that disclosure would contravene other legislation;
3. prescribing maximum fees when complying with data access requests;
4. permitting the PCPD to issue an enforcement notice even where the unlawful activity has ceased and the data subject has suffered no damage or distress; and
5. exempting personal data from the provisions of DPP 3 (to enable the data to be used for a purpose other than the purpose for which it was collected) where disclosure of the data is necessary for effecting a merger, acquisition or transfer of business.
Annex 2 – Proposals not to be pursued
Annex 2 contains a number of proposals put forward in response to various incidents or complaints but which, following consideration, the Bureau is not inclined to pursue. These include:
1. revising the direct marketing regime to make it an "opt in" regime and/or establishing do-not-call registers for person-to-person calls;
2. including IP addresses explicitly within the definition of "personal data";
3. amending the scope of the PDPO so that a data user may be exempt from the PDPO where the data user controls the processing of data in or from Hong Kong but all of the acts of the data processing cycle take place outside of Hong Kong;
4. creating a general exemption on the basis of public interest from the obligations in DPP 3 (restriction on use of personal data) and the obligations relating to data access (DPP 6 and section 18(1)(b)); and
5. creating a new exemption for data available in the public domain from the scope of DPP 3, which would allow data in the public domain to be used for any purpose.
There are also a number of proposals relating to the scope and content of the PCPD's power in investigations which will not be pursued by the Bureau. The Bureau provides specific reasons for not pursuing each proposal, but as a general comment, it considers that there is not sufficient justification to extend the scope of the PDPO in the ways put forward by the rejected proposals.
Annex 3 – Miscellaneous proposed amendments
Annex 3 sets out a number of miscellaneous proposals which include operational and procedural amendments intended to benefit the operation and implementation of the PDPO. These include:
1. Amending statutory powers and functions of the PCPD, including relieving its duty to notify a complainant of the outcome of an investigation if the complainant withdraws his/her complaint, allowing the disclosure of certain information by the PCPD in the performance of its functions, immunity for the PCPD from personal liability, power to impose fees for educational and promotional services and the power to require information to verify a data user return.
2. Introducing new exemptions, such as for the use of personal data when required by law, by court order or for legal proceedings, for transferring of records containing personal data for government archival purposes, and for data users to refuse to comply with a data access request on the ground of self-incrimination.
3. Clarifying the application of the PDPO in certain circumstances, such as clarifying that the exemption for disclosure to avoid "crimes" applies to crimes both in and outside Hong Kong, expanding the definition of "relevant persons" (persons who can make data access requests on behalf of another) to include guardians of the mentally incapacitated, excluding social services and facilities offered by social workers from the requirements for direct marketing, exempting personal data held by a court or judicial officer from the application of the PDPO, extending the time to lay information for prosecution and extending DPP 4 regarding security to prevent loss of data.
4. Clarifying other operational matters, such as allowing the PCPD to serve an enforcement notice together with investigation results and permitting data users to list the job title of an individual who will receive data access requests, rather than the name of such person.