A stricter regime for profiling07 June 2016
Hong Kong Set to Implement Data User Return Scheme by 2013
This post was contributed by Gabriela Kennedy, a Partner, and Zuzana Hecko, a Summer Intern, both of the Intellectual Property, Media and Technology Group of Hogan Lovells Hong Kong
On July 7, the Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) issued a consultation document setting out the mechanism for a Data User Return Scheme (“the Scheme”). Provisions allowing the Commissioner to request returns from specific data users are already present in Part IV of the Personal Data (Privacy) Ordinance ("the Ordinance"). So far, the Commissioner has not exercised this right, but following a survey of practices in other jurisdictions and taking into account the heightened awareness of privacy rights and corporate sensitivity about personal data, the Commissioner is now of the view that it is time to introduce the Scheme in Hong Kong.
The consultation document (PDF) seeks views on the implementation and operational framework for the Scheme in Hong Kong.
Benefits of the Scheme
The Scheme aims to provide better protection of personal data among corporate data users. Once the Scheme is implemented data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data. Data users may provide more information than prescribed by the Commissioner if they so wish in order to show their commitment to the protection of personal data of their customers. It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards. Companies required to submit Data User Returns will need to take care when filling them in and provide correct information as the intentional provision of false or misleading information constitutes an offense under the Ordinance (attracting a fine of HK$10,000 and imprisonment for up to 6 months). It is also an offense not to submit a return or to submit it late (although a penalty will be applied for the late submission of a return this will not rule out a prosecution for late submission).
The Commissioner will keep a Register of Data Users, in effect a database of data users, which would contain all the information submitted annually by data users. The register will be available to the public for inspection, thus giving data subjects an opportunity to understand data users' privacy practices and compare them with the practices of other data users. Data subjects will have a single point of access to information about how Data Users handle their personal data.
Who will be covered by the new Scheme?
It is proposed that the Scheme will be rolled out in several consecutive phases, covering: a) first, the public sector; b) second, three large regulated industries (banking, telecommunications and insurance) and c) third, organizations with a large database of members (such as customer loyalty schemes). These initial sectors have been selected by the Commissioner because of the large amount of personal data under their control, the sensitivity of the personal data they control, the frequent and diverse use of the personal data they hold, the relative high number of complaints in these sectors and because it is the common practice in these sectors to transfer personal data to third parties for marketing or other purposes.
When will the new Scheme come into operation?
The Commissioner expects to finalize the implementation framework for the Scheme by the end of 2011 and publish a Notice in the Government Gazette regarding the introduction of the Scheme by mid-2012 in the hope that it will come into force by the end of 2012. This means that by the second half of 2013 the first phase of the Scheme may be rolled out and the first data user returns are expected. More information can be found on the website of the Commissioner (PDF).
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016