Vivien Chan & Co - China
In 2018 there have been a number of high-profile personal data security breach incidents, globally and in Hong Kong. In March private data from 50 million Facebook profiles around the world was harvested by data analytics firm Cambridge Analytica. In April the personal data of around 380,000 customers of the Hong Kong Broadband Network (HKBN) were compromised in a cyberattack. In October Hong Kong flag carrier Cathay Pacific announced that the personal information of up to 9.4 million passengers had been leaked, including passport numbers, credit card numbers, nationalities and phone numbers. In late November the credit reports for a number of high-profile public figures, including Chief Executive Carrie Lam Cheng Yuet-ngor and Financial Secretary Paul Chan Mo-po, were found to be easily obtainable from consumer credit reporting agency TransUnion, due to the company’s simple online authentication procedures. As a result, TransUnion was ordered to immediately suspend its online credit reporting services. What is more, in early December the personal data of up to 500 million guests of Marriott International – one of the largest hotel groups in the world, with over 6,000 hotels in 127 countries – was reportedly exposed in one of the most serious data breaches in recent years.
The recent proliferation of data breach incidents is a wake-up call for data users (ie, any legal entity or person that controls the collection, holding, processing or use of data). As such, data users should have a basic understanding of the statutory requirements for the protection of personal data and should take the necessary actions to comply with such requirements.
This update sets out the basic legal principles regarding the data protection regime in Hong Kong and provides key tips on how to prevent data breaches and how to respond in a data breach crisis.
Personal Data (Privacy) Ordinance
In Hong Kong, data protection laws are generally governed by the Personal Data (Privacy) Ordinance (PDPO) (Cap 486 of the Laws of Hong Kong), which regulates the collection, use and handling of personal data and is based on the following data protection principles, which are widely adopted across many jurisdictions:
- Data collection principle – data should be collected for a lawful purpose and should not exceed the necessary amount. Data subjects must be notified about the purpose for collecting the data and the classes of parties to which it may be transferred.
- Accuracy and retention principle – data should be accurate and should not be retained longer than necessary.
- Data use principle – data should be used only for the purpose for which it was collected or for a purpose to which the data subject has consented.
- Data security principle – data users should take practicable steps to safeguard personal data.
- Openness principle – data users’ personal data policies and practices should be made known to the public.
- Data access and correction principle – the data subject is entitled to access and correct their data.
In the context of a breach, the security of personal data is of the utmost importance. According to the data security principle, a data user must take “all practicable steps” to ensure that personal data is protected from unauthorised or accidental access, processing, erasure, loss or use. The factors generally taken into account when determining what constitutes practicable steps include measures concerning:
- the physical location in which the data is stored and the equipment used to store it;
- the people who have access to the data; and
- the secure transmission of the data.
These are important measures that a data user must carefully consider, as they are common sources of data breaches.
Under the PDPO, the privacy commissioner for personal data (PCPD) has substantial investigative powers, such as entering premises and requiring the production of documents, if they have reasonable grounds to believe that an act has been committed in breach of the ordinance. If a data user is found to be in breach of the ordinance, the PCPD will generally issue an enforcement notice. Non-compliance with the notice is a criminal offence and is punishable by a maximum fine of HK$50,000 and a maximum of two years’ imprisonment.
Is data breach notification mandatory?
The EU General Data Protection Regulation (GDPR) was adopted in the European Union in 2016 and came into force in May 2018. The GDPR contains provisions and rights that are not found under the PDPO. For example, under the GDPR, data users generally must report breaches of personal data within 72 hours of notice of the breach – failing which the data users can be fined up to 2% of their annual global turnover.
Indeed, many jurisdictions outside the European Union, such as Canada, Australia and many US states, have similar rules making the disclosure and notification of data breaches mandatory, with serious penalties for non-compliance. However, the notification of personal data breaches to either data subjects or the PCPD is not a mandatory requirement under the PDPO, despite being proposed as part of the amendments in 2012. As such, there is generally no legal consequence for failing to notify parties of a data breach in Hong Kong.
While not a legal requirement, the PCPD encourages the notification of breaches. Data users should also consider the potential backlash, such as a public relations issues, as well as other sectoral laws and regulations (eg, the Securities and Futures Ordinance (Cap 571 of the Laws of Hong Kong) and the Listing Rules), which may be binding on data users and require them to notify such breaches to the relevant authorities.
Tips to prevent data breaches
An up-to-date data security system is useful to prevent data breaches as a result of hacking or computer intrusion. There are other simple measures that can also significantly reduce the risk of a data breach.
One common pitfall is that data users fail to keep track of the duration of their possession of personal data. Although the PDPO does not stipulate a specific timeframe for erasing personal data, it provides that “all practicable steps must be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose”. Data users often overlook the importance of clearing the personal data collected. Indeed, the less data held by a data user, the smaller the impact of a data breach. Following the HKBN data breach, the network has pledged to keep information for no more than six months. This remedial move has received positive responses.
According to recent research, over 40% of data breach incidents are attributable to the negligence or mistake of employees. Therefore, data users should carefully control and audit their internal policies and strictly adhere to these in order to minimise the possibility of a data breach caused inadvertently by employees. The UK courts recently found an employer to be vicariously liable for the criminal actions of an employee who maliciously copied and made public the personal data of other employees, despite the fact that the employer was found not to be in breach of any data protection laws. As such, while regulatory compliance may serve to protect a data user from primary liability, employers can still be vicariously liable for the actions of their employees. Therefore, data users should be wary of the conduct of their employees and provide sufficient training, implement access control measures and conduct regular internal audits.
How to respond to a data breach crisis
To minimise damage and liability, data users should react promptly and appropriately if a data breach is discovered. In particular, the following immediate courses of action should be taken:
- identify the cause and source of the breach;
- adopt containment measures in order to halt a further breach; and
- assess the damage and loss.
Each of these steps is important to minimise the impact of the breach and prevent further breaches. Obtaining such information will also be crucial in proving that all practical steps have been taken to guard against potential data breaches, should any legal actions arise. As such, it is strongly recommended to document the findings of an investigation.
Even the biggest multinational corporations may not be equipped to handle a significant data breach incident. Therefore, companies should have a crisis management plan in place or should at least know who to contact and bring in (eg, legal advisers, investigators, cybersecurity experts and public relations advisers) when such a situation occurs. In the event of a data breach, companies should first contact legal advisers in order to establish legal professional privilege, which prevents any information disclosed to the legal advisers from being used against the breaching party in future. More importantly, legal advisers can help to:
- analyse and assess the legal consequences and potential liability;
- coordinate the post-breach actions; and
- what information to share with external investigators and experts;
- whether there is a need to give notification of the data breach;
- to whom such notification should be given; and
- the content of the notification.
Following a series of data breach incidents, the public are calling for the implementation of the mandatory notification of a data breach under the PDPO. It is likely that the PDPO and the data protection regime in Hong Kong will soon be reformed. In the meantime, data users should regularly review their data protection policies to ensure that there are no loopholes which could lead to inadvertent data breaches. Further, they should seek early legal advice to ensure that these data protection policies comply with the current statutory requirements. During a data breach, it is also advisable to act promptly and contact legal advisers to coordinate post-breach actions.