Reform of Hong Kong’s Personal Data Privacy Legislation: Public Consultation Period Ends

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government’s proposals were "more moderate and conservative than those made by the Commissioner".  

"Sensitive Personal Data"

The Commissioner’s Review had suggested that the definition of "sensitive personal data" under the Ordinance should include data regarding an individual’s race or ethnicity, political and religious beliefs and affiliations, physical and mental health, and sexual preferences ("the extended definition"). However, the Consultation Paper instead proposed that only biometric data be considered sensitive personal data at this stage.

In his Submissions in response, the Commissioner noted that the extended definition accords with Article 8 of the EU Directive 95/46/EC, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In order to be designated as "adequate" under the Directive and allow for uninterrupted data flows with EU member states, the Ordinance must provide a similar level of protection as provided for under the Directive. The Submissions suggest that designation as an “adequate” jurisdiction under the Directive would assist Hong Kong’s growth as a trade and business centre. 

The Commissioner also submitted that given the extent of harm that may arise as a consequence of data in the extended definition being mishandled, it would be appropriate to adopt this wider definition and he urged the CMAB to reconsider the scope of sensitive data.

Regulation of Data Processors

Unlike equivalent legislation in other jurisdictions, such as Australia and Canada, the current provisions of the Ordinance regulate the handling of personal data by data users only and not also by data processors. While the Consultation Paper included the Commissioner’s earlier proposal that data users should be obliged to use contractual and other means to ensure data processors comply with the Ordinance, the Submissions suggested that this control mechanism would not go far enough. Rather than ensuring compliance by self-regulation and internal policy alone, the Commissioner proposed that data processors should be subject to direct regulation under the Ordinance. This would reduce the increasing number of data leakage incidents, many of which have been shown to have resulted from insufficient security safeguards on the part of data processors.

In defence of the decision to exclude data processors from direct regulation, CMAB has raised concerns about the application of the Data Protection Principles (“DPP”) to data processors, particularly DPP3, which provides that personal data should only be used for the purposes (or a directly related purpose) for which they were to be used at the time of collection. As data processors are often unaware of the nature of or purpose of collection of the personal data they are processing, this principle would be difficult to enforce. The Commissioner responded to this by proposing that the wording of DPP 3 be amended to provide, in relation to data processors, that personal data should only be used for the purpose for which the data was entrusted to the data processor.

The Commissioner’s Enforcement Powers

Although many of the Commissioner’s suggestions to increase his own powers of enforcement have been included in the Consultation Document (such as the power to carry out criminal investigations and prosecutions, the power to search premises and seize evidence, and the power to call upon public officers for assistance), CMAB expressed the view that there could be public concerns about giving such wide powers to the Commissioner.

This view was of course not accepted by the Commissioner who disagreed on a number of grounds. There are many examples of statutory bodies that have been given the power to investigate and institute criminal proceedings at their own behest. Further, the Commissioner pointed out that the power to prosecute entails bringing an action and presenting the case before the Court. It does not give the prosecutor the power to determine the culpability of the data user and impose sanctions; that power is reserved for the judiciary. A member of the public has the common law right to bring a criminal prosecution. The power of the Secretary of Justice to intervene and assume control of criminal proceedings is an effective safeguard against any prejudice of the Secretary’s power in the case of an individual, just as in the case of a statutory body. The Commissioner proposed the inclusion of a provision that the Commissioner’s power to prosecute be subject to the consent of the Secretary for Justice.

Outstanding Issues: s. 33 and Cross Jurisdictional Data Transfers

One point of discussion throughout the review and consultation process was the fact that s. 33 of the Ordinance was excluded from consideration. S. 33 restricts, subject to certain exceptions, the transfer of personal data from Hong Kong to any jurisdiction that lacks an adequate data protection scheme. It is the only section of the Ordinance that has not yet been brought into force, despite being on the statute books for the last 14 years. However, with the increasing internationalisation of business, and the ability to disseminate information across the world instantaneously through the Internet, the protection and regulation of cross jurisdictional personal data transfers has come under scrutiny.

Although the government had earlier indicated that s. 33 would be part of the Commissioner’s review, it has not been included in the Consultation Document and comments from both the Government and the Commissioner before and during the consultation period suggest that both are of the view that Hong Kong is not ready for such legislation, and further assessment is needed.

Not bringing section 33 into force means that there is effectively no restriction on the transfer of personal data to jurisdictions that do not have a data protection regime (most significantly, mainland China). This in turn means that parties wishing to protect personal data transfers to such jurisdictions must rely on (and, in cases of breach, take steps to enforce) contractual terms restricting the use of the transferred data. Unauthorised use of personal data in this way is a matter of contract, rather than statutory law.

The Government has yet to make an announcement or release any documentation in relation to the submissions made during the consultation period and the Commissioner’s responses to the Consultation Document. Further updates will be forthcoming when the form the legislative amendments take is made public.

Authored by Gabriela Kennedy, and Olivia Lennox-King Stewart.