IT voice Response to PDPO Review (II) – On the Consultation

We had set the stage in the previous article, explaining the the foundation of our opinion.
Now we go to the subject matter of our response in more detail. If you have any comment we welcome that very much.


1. Give the Privacy Commission material power to enforce

* The PCPD presently has powers to investigate suspected contraventions of the PDPO, issue enforcement notices and inspect personal data systems.  However, the current PCPO has very a limited power. Non-compliance with the six data protection principles is not a criminal offence.
* The Privacy Commissioner (PC) can only server an enforcement notice to the party concerned. Furthermore, the serve further requires the PC believing that the concerned party will repeatedly abuse. The Octopus leakage case has exposed the weakness of the current legislation. Serious breach did occur but PCO could not serve an enforcement notice because it was not established that Octopus would repeat the abuse.
* We propose the ordinance be amended to waive the requirement of belief of a repeated abuse for issue of enforcement notice.
* We support a heavier sanction for data users who repeatedly contravene an enforcement notice.

2. Regulation of Data Users and Data Processors

* The government proposal proposed to strengthen the contractual terms between data users and data processors. We consider this approach is insufficient and cannot respond to the abundant breach incidents, many of which were proved to be related to outsourcing or sub-contracting.
* Taking information security and privacy management as a holistic approach, we agree that data processors and sub-contractors of data processing should be accountable as data users when they are processing personal data.
* We agree that specific obligations should be imposed on the data users by requiring them to take specific security measures when contracting out the processing of personal data to third parties.
* At the same time, the scope of inclusion should be clearly defined and restricted to penalize only negligent parties but not ignorant parties. There are cases where service providers have no knowledge of whether they are holding personal data. Just take some examples,
a. data processors of test data who are not informed that test data given by careless data users are real personal data
b. Internet service providers and online service provides who are only providing conduits or platforms for data communication and storage do not know the nature of data passing through the conduits or stored in the platform
c. Web hosting service providers who are only providing storage and application for clients to host data do not have knowledge of the type of data stored on the servers
* Some overseas legislation put data processors under same responsibility as data users in regulation. If Hong Kong possesses a legislative regime including data processors, we are in a more competitive position in acting as a global service hub. However, before we can take on this advantage, we should have a good way to differentiate the “should be regulated” population” from the “innocent population”. We are disappointed that the Government proposal had not made a good discussion on this area and would alert that it may not be a mature occasion to put forth a widespread direct regulation. Furthermore it will impact the fundamental principle “free flow of information”.
* We propose the government considering indirect regulation as an intermediate measure. Data users must establish with data processor the responsibility to ensure data is:
(a) only used for the purpose for which it was provided to them;
(b) secure and safeguarded; and
(c) erased once no longer required.
* We, of course, would be very open to direct regulation if a clear and granular definition can be made.

3. Data Breach Notification should be Mandatory

* We maintain that the right to be informed of personal data breach is a human right. The notification is essential to the victim to take proper mitigation measures.
* The current government proposal suggests a Voluntary Notification Scheme. Such scheme only puts those corporations who practice disclosure in disadvantageous position in the market. With such negative incentive, the scheme is destined to failure.
* The ultimate solution should be mandatory data breach notification.
* The Government should set up a time table to implement mandatory data breach notification by phases. The implementation should start with Government regulated sectors (e.g. financial institutions, hospitals, telecommunication) while general business start with voluntary regime. In say, 3 to 5 year time, the law should cover all businesses. This approach is a balance between the need to protect individuals’ privacy right and to calm down the worries of the business on the uncertainties of the disclosure
* The Government proposal lacks the detail of reporting requirement, for example, how to prevent unreasonable delay of notification, format and manner of notification to make it user friendly.

4. Regulation of personal data cross the border

* Currently PDPO has not enacted Section 33 to order data user to take all reasonable precautions and to exercise all due diligence to ensure that the personal data will not be collected, held, processed or used in a place outside Hong Kong in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance.
* The Council of Europe’s 1981 Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data[1] and the Organization for Economic Cooperation and Development (OECD) Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal Data[2] set out specific rules covering the handling of electronic data across the border.
* The PDPC had informal discussions with the EU over the question of the adequacy of data protection under the EU Data Protection Directive, but has not received a formal reply. Hong Kong will likely not be deemed adequate before the enactment of Section 33 of the Ordinance.[3]
* Many countries, especially in Asia, have developed or are currently developing laws in an effort to promote electronic commerce. These countries recognize that consumers are uneasy with the increased availability of their personal data, particularly with new means of identification and forms of transactions. These countries recognize consumers are uneasy with their personal information being sent worldwide. Privacy laws are being introduced as part of a package of laws intended to facilitate electronic commerce by setting up uniform rules. Rise of off-shore data repository, e.g. cloud computing, software-as-a-service makes regulation of trans-border data flow of personal data more essential than before.
* Many countries are adopting new laws or updating older laws based on the Council of Europe Convention No. 108 and the EU Data Protection Directive in order to ensure that trade will not be affected by the requirements of the European Union Directive.
* The Madrid Privacy Declaration[4] urges countries that have not ratified Council of Europe Convention 108 together with the Protocol of 2001 to do so as expeditiously as possible;
* We are of the view that our PDPO should be compared against international standard. PDPO should enact Section 33, to comply with the EU requirement and OECD guideline. The compliance is vital for Hong Kong to stay competitive and allow outsourcing business to capture the international market.

5. Unauthorized Obtaining, Disclosure and Sale of Personal Data

* We support to make it an offence if a person obtains personal data without the consent of the data user and discloses the personal data so obtained for profits or malicious purposes.
* We remind that there are precedence of personal data transfer to third party via data users’ manipulated minor text of terms and conditions. The law must make it clear that transfer of personal data to third party must inform data subject in clear text and the scope of use of personal data must not exceed the scope of use by data user, or else explicit agreement must be made.

6. Regulation of Direct Marketing

* The legislation should mandate that data users or their representative have legal obligation to disclose the source of personal data as requested by data subjects. The PDPO should provide more user education to inform the public they have such right.
* We support raising the penalty level for misuse of personal data in direct marketing.

7. Set up Personal Data Breaches Database

* The PDPC should implement the privacy data breach database immediately. It was a plan never realized since year 2000. The PDPC and the Government should be blamed for their failure. The database provides useful information for general public on the profile of privacy protection profile of organizations, statistics and trend analysis and eventually for data privacy awareness education. PDPC should set herself as a model to encourage individual organizations to maintain their own corporate privacy data breach database.

8. Training and Awareness Education is most effective preventive measures

* We regarded preventive measures like training and awareness education a critical success factor for PDPO. Taking good experience of EOC and ICAC, Government should provide sufficient funding to PDPO to expand their reach the corporations, schools and the community.


[1] ETS No. 108, Strasbourg, 1981
[2] OECD, Guidelines Governing the Protection of Privacy and Trans-border Data Flows of Personal
Data" (1981)
[4] Article 2,[347]=x-347-565563

Comments are closed.