The Octopus Card System personal data privacy incident in July 2010 had aroused public concern over the fallacy of personal data privacy protection by the current legislation. The recent public consultation on the legislative proposal of Personal Data (Privacy) Ordinance review was expected to receive more feedback than the previous consultation in 2009.
IT Voice has been following up this issue and had submitted a response paper during the 2009 review.
In 2010, the Government published a legislative proposal to follow up the review in 2009. IT Voice again submitted our opinions from a perspective of the public interest and IT professionals. The opinion paper has two parts. In part I we restate the foundation of our opinion.
TAKING PERSONAL DATA BREACH SERIOUSLY
1. Data breach has become a “norm" in Hong Kong. Not only are corporations leaking personal data of their staff or customers, the case of Octopus leakage showcased an organized trade of personal data among service providers.
2. These breaches have aroused extreme concerns of the citizens on the privacy of their personal data, and the causal damage or risk of damage due to the leakages. They have also lost confidence on public institutions and enterprises on protection of their personal data.
3. The reputation of Hong Kong as a safe and friendly trading hub and financial centre is largely damaged by these incidents.
4. The Octopus leakage case has exposed the insufficiency of current legislation in enforcing service providers to inform affected victims, and providing Privacy Commission to prosecute abusing parties.
5. With the rise of mobile computing, social network services and cloud computing paradigms, more and more data are put on the publicly accessed infrastructures scattered globally and managed by third party service providers. The threat of data breach is increasing and the sufficiency of the privacy law is subjected to more vigorous challenge.
6. Developed economies are developing more advanced privacy laws to protect personal privacy and extending the coverage to transfer of data across the border. These reforms are for protection of privacy as a human right as well as securing the economies’ status as a privacy safe place for cross border businesses.
7. IT Voice recognizes the importance of balancing business interests and individuals’ rights. When dealing with the context of personal data privacy in Hong Kong, we also take into account the weaker consumer community as compared to the businesses and the lack of class action in litigation. When we make our comments on the review, we keep in mind the proper balance of power and we take the common good of the citizens as the highest priority.
8. The enactment of the PDPO 15 years ago was a monument of Hong Kong to stand as a world leader in the protection of personal data privacy. It has contributed to making Hong Kong a free and safe confluence of information and business. We need not only a continuous improvement and a response to recent data breach incidents, but also a future vision that allows Hong Kong to withstand technological changes and global competitions in the coming decade.