Privacy Complaints Up 48% in Hong Kong in 2013: Are You Prepared? Read Hogan Lovells Easy Reference Guide.
19 March 2014
Hong Kong's Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed (1,792 complaints in 2013) and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.
The step change in enforcement activity should most obviously be a cause for concern for businesses that rely on personal data for marketing their products and services. Thirty percent of last year's complaints related to direct marketing (a significant increase). But a close examination of the figures shows that business concerns should be much broader than this. For example, there was a substantial increase in the number of data security breaches reported to the Commissioner (61 in 2013 against 50 in 2012), showing that the growth in investigations and enforcement activity doesn't just relate to electronic marketing. As businesses become more and more dependent on their data holdings as a means of finding competitive advantage, and "Big Data" becomes an increasingly valuable business asset, data privacy compliance becomes a business-wide issue that requires board level attention.
The Commissioner's latest policy initiative underscores this point. Last month, the Commissioner published guidance calling for businesses to adopt comprehensive Privacy Management Programmes directed at achieving compliance in all aspects of their business. This "best practice" standard of compliance needs to be looked at carefully, as it will likely be looked at in adjudicating future rounds of enforcement action. Every organisation that handles personal data needs to ensure compliance with the Ordinance. If the Commissioner's office receives a complaint, the Commissioner has the power to order an investigation and, where there has been a breach, issue an enforcement notice. There are now substantial penalties under the Personal Data (Privacy) Ordinance ("PDPO") for the most serious breaches with fines up to HK$1,000,000 and 5 years' imprisonment. Quite apart from the criminal sanctions, there are reputational risks for an organisation that is subject to an investigation with the Commissioner increasingly prepared to "name and shame" organisations and publicise the results of his investigations.
Comprehensive regulation requires a well-considered, comprehensive response.
At Hogan Lovells, we regularly advise clients on all aspects of data privacy compliance, including:
- Conducting data privacy compliance audits and developing data privacy policies and procedures;
- Helping clients structure cross-border data transfers, including as part of outsourcing, shared services and cloud arrangements;
- Advising on the acquisition of personal data as an increasingly important part of merger and acquisition and joint venture activity;
- Advising on commercial arrangements, such as marketing, distribution and sponsorship agreements, where securing rights to personal data is a key objective;
- Advising on data breach notification requirements when data is hacked or lost;
- Advising on data subject access requests; and
- Defending companies against enforcement action.
Our wide network of offices in the Asia Pacific region and elsewhere means that we can provide joined-up thinking on all aspects of privacy and data protection compliance. Our practitioners in the region have years of experience with European data privacy regulation, the inspiration for much of the regulatory developments in Hong Kong and across the wider region. As part of an international team that shares know-how and insights across the globe we can work with clients wherever their data may be.
We attach an overview of the PDPO and regulatory regime in Hong Kong and would be delighted to assist you with your data privacy needs. Please do not hesitate to contact us if you would like to discuss.