6 June, 2018
Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently issued a booklet addressing the potential impact of the European Union’s (EU) General Data Protection Regulation 2016 (GDPR) on Hong Kong (HK) businesses. Coming into force on 25 May 2018, the GDPR replaces the 1995 EU Data Protection Directive and introduces a single set of data protection rules applicable to all EU member states, as well as any businesses that collect or process the personal data of any EU resident. HK businesses will need to comply with the GDPR if they:
- Have an establishment in the EU where personal data are processed; or
- Offer goods or services to, or monitor the behaviour of, any individuals who reside in the EU
Since HK’s Personal Data Privacy Ordinance (Cap. 486) (PDPO) is largely influenced by the now superseded 1995 EU Data Protection Directive, it is useful to note the differences between the PDPO and the GDPR. We highlight the more significant differences as follows:
1 – Right to object- the GDPR gives all persons the right to object, at any time, to the processing of their personal data (including profiling[1]) unless the ‘data controller’ (a term defined under article 4 of the GDPR to mean the individual, agency, authority, or other body that “determines the purposes and means” of data processing) can demonstrate compelling, legitimate grounds[2] to do so.
Under the PDPO, a data controller has to take all practicable steps to inform an individual on or before collecting his/her personal data the purposes for which such data will be used. Once an individual provides his/her personal data, such individual may request that their data be deleted but cannot object to the way their data are processed unless the data will be used in relation to direct marketing (whereby data controllers must provide notification to, and obtain consent from, an individual before using his/her data for direct marketing purposes)[3].
2 – Stricter accountability- in contrast to its predecessor legislation, the GDPR explicitly incorporates the principle of accountability (various obligations organisations must follow in order to demonstrate data protection compliance) under article 5(2). Organisations are obliged to: (i) maintain certain documentation in relation to data processing activities; (ii) conduct data protection impact assessment prior to engaging in higher risk data processing; and (iii) implement data protection by design and by default (e.g. data collected and processed should not be held or further used unless essential for reasons clearly stated in advance).
The PDPO does not explicitly proffer any accountability principle nor related privacy management tools. Rather, the PCPD encourages the adoption of a Privacy Management Programme (PMP)[4] that embraces the notion of accountability as a foundation for promoting data privacy compliance. The PMP lists out a series of best practices for organisations to follow to build their privacy infrastructure.
3 – Data protection officer- the GDPR mandates the appointment of a data protection officer under certain situations, namely[5]:
- Where an organisation is a public authority or body;
- Where an organisation’s core activities involve regular and systemic monitoring of data subjects on a large scale[6]; or
- Where an organisation’s core activities involve large scale processing of special data categories (e.g. sensitive personal data such as health records, or data relating to criminal convictions or offenses).
Data protection officers must have sufficient expert knowledge (commensurate with the processing activities for which he/she is responsible), oversee compliance with data protection laws and regulations, and face Data Protection Authorities in the event of a dispute.
In contrast, the PDPO does not require the appointment of any data protection officer. Rather, the appointment of a data protection officer is recommended as a best practice (in order to preserve reputational value) under the PMP. Such appointment may entail reviewing an organisation’s current operating structure and designating the data protection officer as an executive-level staff member.
4 – Increased obligations in the event of data breach- according to the GDPR any organisation suffering a personal data breach[7] event leading to the destruction, loss/alteration, unauthorised disclosure of, or access to, personal data must notify the supervisory authority in the EU member states ASAP, or within 72 hours of such organisation becoming aware of it (when feasible)[8]. Notification does not need to be made if the breach is unlikely to result in risk to the rights and freedoms of individual persons; there must be a “high risk”[9].
The provision of such notifications is voluntary in HK; there is no binding obligation or stipulated timeframe for doing so[10].
5 – Customer consent- the GDPR lists specific requirements for organisations seeking to obtain an individual’s valid consent prior to using their personal data[11]. In short, an individual’s consent must be freely given, specific, informed and unambiguous[12] (either by giving a statement or an affirmative action), and may be withdrawn by such individual at any time. Any requests for consent should be separate from other terms, and be in clear and plain language.
On the other hand, the PDPO does not require procuring an individual’s consent as a pre-requisite for collecting personal data unless at the time of collection, the data user notifies the data subject that provision of his or her data is only voluntary as opposed to obligatory (the data user must say whether provision of the data is voluntary or obligatory at the time of collection[13]), or such data are used for a new purpose (i.e. a purpose not directly related to the original collection purpose), or used or transferred for direct marketing purposes. In such cases, consent must be informed, voluntary, and express – it cannot be inferred from inaction or silence. Nor does the PDPO promulgate any parental consent requirement; instead, the PDPO allows parents or legal guardians of minors to give prescribed consent on their behalf if the parent or legal guardian has reasonable grounds to believe that the new purpose for using data may be in such minor’s interest.
6 – Impact assessments- pursuant to the GDPR, organisations are required to conduct an impact assessment prior to engaging in any type of data processing that is likely to result in a “high risk to the rights and freedoms of natural persons”[14]. Such impact assessments should describe the data processing, assess its necessity and proportionality, and mitigate the attendant risks to individuals’ rights and freedoms[15]. Impact assessments are particularly required when data processing involves:
- Systematic and extensive evaluation of personal data via automated processing (including profiling), and on which decisions are made producing legal effects on, or significantly affecting, individuals;
- Large-scale processing of sensitive personal data (biometric data, data relating to criminal offences, etc.); or
- Systematic monitoring of public areas on a large scale[16].
According to guidance issued by the PCPD[17], privacy impact assessments are encouraged under certain circumstances (e.g. prior to installing security cameras in public places) but HK law does not impose any obligation to conduct them.
7 – Heavy fines- the GDPR introduces a tiered approach to penalties whereby fines for some infringements of up to the higher of 4% of annual worldwide turnover or EUR20 million (e.g. for breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other infringements would attract a fine of up to the higher of 2% of annual worldwide turnover or EUR10 million.
By comparison, failure to comply with the PDPO (including any of the Data Protection Principles listed in Schedule 1 thereto) does not automatically trigger any sanctions. In cases of non-compliance, the PCPD can issue an enforcement notice[18] directing the data user to remedy or fix the contravention. Statutory fines for failing to comply with an enforcement notice range from HK$50,000 to HK$100,000[19], though for direct marketing offences[20] the relevant penalties are much higher (ranging from HK$ 500K to HK$ 1M, plus up to five years imprisonment[21]) as they are criminal offences. The PCPD has no power to directly levy administrative fines or penalties.
In light of the breadth and extent of the GDPR, businesses facing the GDPR’s compliance requirements should develop an overall privacy framework, document policies and procedures, and assign accountability for privacy policies and procedures.
As a law firm committed to Hong Kong, we are dedicated to assisting businesses in Hong Kong to comply not only with Hong Kong law but also other applicable laws.
For further information, please contact:
[1] Per article 4 GDPR, “profiling” means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…”
[2] Article 21 GDPR
[3] Part 6A of the PDPO also gives individuals the right to opt-out from use of his/her personal data in direct marketing
[4] See “Privacy Management Programme—A Best Practice Guide” issued by the Personal Data Privacy Department
[5] Article 37(1) GDPR
[6] “Large scale” is not defined under the GDPR, but according to the EU Guidelines on Data Protection Officers certain factors should be evaluated in determining scale:
Number of data subjects
Volume of data and/or range of data items to be processed;
Duration, or permanence of the data processing activity; and
Geographical extent of the data processing activity
[7] Per article 4 GDPR, “personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
[8] Article 33 GDPR
[9] Article 34(3) GDPR
[10] The PCPD published Guidance on Data Breach Handling and the Giving of Breach Notificationswhich explains steps for giving notification (which is recommended to be given to affected individuals or organisations “as soon as possible”)
[11] See articles 6(1)(a) to (f) of the GDPR
[12] Article 7(4) GDPR states that in assessing whether consent was freely given, account shall be taken of… whether “…performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
[13] Pursuant to Data Protection Principle 1, Schedule 1 PDPO
[14] Article 35 GDPR
[15] Refer to “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk for the purposes of Regulation 2016/679” (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236)
[16] Article 35(3) GDPR
[17] See “Information Leaflet on Privacy Impact Assessments” (https://www.pcpd.org.hk/english/resources_centre/publications/files/InfoLeaflet_PIA_ENG_web.pdf)
[18] Pursuant to section 50 PDPO
[19] Section 50A PDPO
[20] Direct marketing offences are dealt with under Part 6A of the PDPO
[21] See sections 35J(5), 35K(4), and 35L(6) PDPO