In January 2020, the Hong Kong Constitutional and Mainland Affairs Bureau had published a discussion paper concerning the review of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) (“Review Paper”). However, after a little over one year since the publication of the Review Paper, the proposed amendments have yet to be implemented as law. In this article, we will take a look at the current status of the proposed amendments and what businesses should expect.
According to the latest documents published by the Legislative Council Panel on Constitutional Affairs on 18 January 2021, there remains no official timeline or news on the implementation of the proposed amendments discussed in the Review Paper. However, the Privacy Commissioner has indicated that she is working closely with the Hong Kong Government in proposing legislative amendments to the PDPO. (See below for a summary of the proposed amendments.)
While the proposed amendments are being mulled over, there has been a specific trend towards criminalising doxxing behaviours in Hong Kong. Doxxing is where a person specifically targets another person or group by finding personal data of that person or group and publishing it. For instance, there have been at least four (4) reported cases where individuals were handed imprisonment sentences for violating the injunction order granted by the High Court in 2019 which restrains, among others, persons from disclosing, without the consent from the relevant data subjects, personal data of police officers and/or their family members, intended or which is likely to intimidate or harass, police officers and/or their family members.
Pending the implementation of the proposed amendments, there is also a growing reliance by the authorities on the existing section 64(2) of the PDPO as a measure for prohibiting doxxing behaviours. Section 64(2) of the PDPO makes it an offence for any person to disclose any personal data of a data subject obtained without consent which causes psychological harm to the data subject. There have been recent cases where section 64(2) had been invoked by the prosecution against individuals who obtained personal data of family members of police officers for doxxing purposes.
6 PROPOSED AMENDMENTS TO THE PDPO
(1) Mandatory data breach notification
Mandatory data breach notification will be introduced: the proposed threshold is if the breaches may have “a real risk of significant harm” and notification must be completed within a specified timeframe (e.g. as soon as practicable but not more than 5 business days).
(2) Data retention period
Express requirement on data users to specifically set out the retention periods for separate categories of personal data so that data subjects are clearly informed of the details of the retention policy.
(3) Sanctioning powers
To broaden the Privacy Commissioner’s power by enabling administrative fines (linked to the annual turnover of the data user concerned) to be directly imposed based on breaches of the requirements under the PDPO.
(4) Regulation of data processors
To directly regulate data processors under the PDPO e.g. in relation to data retention and security requirements, or notification requirements to the Privacy Commissioner.
(5) Definition of personal data
To widen the definition to include “identifiable” person instead, given the current wide use of tracking and data analytics technology.
(6) Doxxing regulations
To introduce, among others, doxxing specific provisions and to empower the Privacy Commissioner to request the removal of doxxing contents from social media platforms or websites and to carry out investigations and prosecutions.
Given the number of jurisdictions being referenced in the process, it is likely that we may not see the proposed amendments being implemented before the end of the current legislative council term (i.e. July 2021). This also means that if the proposed amendments are to be implemented in the next legislative council term, this will likely happen next year at the earliest.
Section 33 of the PDPO specifically regulates the cross-border transfer of personal data from within Hong Kong to outside of Hong Kong. However, section 33 have not been in force since the introduction of the PDPO in 1996. While there have been recent discussions on this and the Privacy Commissioner has in the past commissioned consultancy studies on bringing section 33 into force, it remains unclear when the particular statutory provision will be brought into force.
Recent global developments would likely have an impact on how section 33 (which was drafted a quarter of a century ago!) would be implemented. For instance, development pursuant to Schrems II such as the draft standard contractual clauses from the European Commission (which seeks to introduce processor-processor and processor-controller clauses) and the European Data Protection Board’s recommended supplemental measures for international transfers may be relevant, particularly where the PDPO proposed amendments also contemplate direct regulation of data processors. In light of Brexit, the recent draft EU UK adequacy decision may also be relevant when considering the countries to be whitelisted if and when section 33 is implemented.