The recent leaking of a massive number of customers’ personal data by international airlines, along with other alarming leaks on social media platforms, have once again put the issue of data protection into the spotlight.

Data protection is the management and safeguarding of personal data from unauthorized access or use. Nowadays, organizations handle a huge volume of personal and confidential client and customer information in the course of their business operations. The rapid development and application of smart technologies in social computing; big data processing; artificial intelligence; and machine learning have all made everything faster and smarter. However, changes to business, communities and society arising from the use of such technologies as Block chain, Fintech and behavioral tracking technologies also raise the risk to people’s privacy to an unprecedentedly high level. For instance, according to Hong Kong’s Office of the Privacy Commissioner for Personal Data, Annual Report 2016-17 (Annual Report), the number of cyber crimes has risen from a few hundred per year in the 1990s, to about 6,000 in 2016!

Data protection regime in Hong Kong

The legal regime that applies to data protection plays a significant role and governs the way in which data can be used to market, provide services or run businesses, and also specifies how they should be stored. However, in reality, whether personal data and information are sufficiently protected will invariably depend on whether the applicable laws are robust enough to ensure adequate compliance.

In Hong Kong, the main legislation on data protection is the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance). The Ordinance regulates the collection, use and handling of personal data and is based around a set of data protection principles. The Ordinance was enacted in 1996 in response to Directive 95/46/EC (Data Protection Directive), covering much the same ground as the Data Protection Directive, although with some significant limitations. The Ordinance underwent major reform in 2012, primarily to add specific provisions and restrictions against the use and provision of personal data in direct marketing.

Further, there are obligations imposed by the PDPO on data users in the form of six Data Protection Principles (DPP) to ensure data is processed properly:

• DPP1 (collection): Personal data should be collected by fair means and for a lawful purpose. Such collection should be necessary but not excessive, and the data subjects must be informed of the purpose of the collection.
• DPP2 (accuracy and retention): All personal data should be accurate and not kept any longer than is necessary.
• DPP 3 (use and disclosure): Personal data should not be used for a different purpose unless with the consent of the data subject.
• DPP 4 (security): All practicable steps should be taken to protect personal data collected against unauthorized or accidental access, processing, erasure, loss or use.
• DPP 5 (openness): All practicable steps should be taken to ensure the public knows what personal data are held and how they are used.
• DPP 6 (access and correction): A data subject should be able to have access to his or her personal data and correct them if considered inaccurate.

Privacy Management Program – A Global Trend for Organizations

As a result of the significant increase in new privacy risks, data and privacy protection is currently undergoing a state of significant change. There is a growing trend among privacy regulators around the world to advocate and promote a more proactive, accountability-based privacy management program (PMP) as a tool for increasing accountability, as opposed to mere compliance with existing data protection laws which may no longer be sufficient.

The accountability principle was first introduced by the Organization for Economic Co-operation and Development (OECD) in its 1980 Privacy Guidelines and subsequently updated in 2013 with the introduction of a number of new concepts such as PMP and security breach notification. The OECD Guidelines have shaped many regulatory frameworks around the world, including the data protection regime in Hong Kong.

The term “accountability” in relation to privacy is succinctly defined in the “Getting Accountability Right with a Privacy Management Program” Guide jointly issued by the Privacy Commissioners of Canada, as well as Alberta and British Columbia, as “the acceptance of responsibility for personal information protection. An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws. Done properly, it should promote trust and confidence on the part of consumers, and thereby enhance competitive and reputational advantages for organizations.”

What does all of this mean?

The increase in privacy breaches has raised the privacy and security expectations of business clients and customers over the collection, holding, processing and use of their personal data. Organizations must therefore implement adequate security measures to protect the personal data of their clients and customers. An accountability-based model for handling personal data is the more proactive and preferred approach and has now become the global trend. In line with this trend, the European Union’s (EU) General Data Protection Regulation (GDPR), which came into force on 25 May 2018, introduced a number of new features into the data protection regime including accountability, implying organizations must follow various obligations in order to demonstrate data protection compliance, such as the appointment of data protection officers; mandatory personal data breach notification, and data portability and new obligations on processors, etc. In relation to this, Hong Kong businesses will be bound by the GDPR if they have an establishment in the EU, or outside the EU if they offer goods or services to or monitor EU citizens.

Final Verdict

In view of the public concerns about the recent airline data leaks and the public’s call for stricter regulation on data protection for organizations, the Privacy Commissioner expressed on 3 November that a review of the PDPO is underway and recommendations will be submitted to the government within months.