Out-Law Analysis 7 min. read
07 Feb 2020, 9:30 am
The PDPO was a state of the art piece of legislation when drafted in 1996. Despite some narrow reforms of the PDPO in areas such as direct marketing and unauthorised disclosure of personal data in 2012, broader modernisation of the framework is now required to ensure the law better reflects the age of the smartphone, the use of new technologies like big data analytics and systems that automate decision making, and addresses the risk of data breaches and misuse of personal data in the digital world.
We see no reason why data subjects in Hong Kong would have a lower expectation for the protection of their personal data when compared with data subjects in the EU
With policymakers moving to update data protection laws in other jurisdictions in recent times – perhaps most notably in the EU with the General Data Protection Regulation (GDPR) – it is encouraging that the Constitutional and Mainland Affairs Bureau of the Hong Kong government issued a discussion paper on a review of the PDPO on 20 January, seeking feedback from Hong Kong's Legislative Council on new amendments to the PDPO.
The discussion paper acknowledges recent data breaches in Hong Kong, and notes the rapid development of new technologies which have driven the increased collection and processing of personal data. A number of amendments to the PDPO are proposed in response. These include:
Jennifer Wu
Partner
Hong Kong's largely globalised economy could benefit from having less divergence between the PDPO and comparable legislation overseas – such as the GDPR
If these amendments seem familiar, they are – many of these proposals reflect GDPR provisions that have come into effect, and, indeed, the discussion paper itself acknowledges that it has referred to the GDPR and other comparable jurisdictions in formulating its proposals. The reference to GDPR is to be welcomed. We see no reason why data subjects in Hong Kong would have a lower expectation for the protection of their personal data when compared with data subjects in the EU. Furthermore, Hong Kong's largely globalised economy could benefit from having less divergence between the PDPO and comparable legislation overseas – such as the GDPR.
The discussion around anti-doxxing measures is perhaps more topical to Hong Kong than in other jurisdictions. The discussion paper indicates that the Constitutional and Mainland Affairs Bureau is "deeply concerned" about the significant volume of doxxing cases recently reported in Hong Kong. There have been more than 4,700 doxxing-related cases identified by the privacy commissioner since 14 June last year. More than 1,400 of those cases were referred to the police for further investigation, and there have so far been eight arrests. Actions taken to address the problem thus far include the privacy commissioner requesting the removal of more than 2,500 links from online platforms and that the platforms publish warnings that doxxing might constitute a breach of the PDPO, while the Hong Kong government has also gone to court in a bid to stop doxxing targeted at police officers.
Anti-doxxing measures in any jurisdiction and at any time are to be welcomed. Given the rise in doxxing cases over the past few months in Hong Kong, the current round of proposed amendments for the PDPO seems the appropriate time to deal with the problem.
As comprehensive as the discussion paper is, it is only the first step in a long journey to updating the PDPO. We do not yet know how the Legislative Council Panel on Constitution Affairs will respond to the discussion paper, nor how the broader community and the relevant stakeholders will receive it. Nevertheless, we can expect three issues to surface as the discussion paper gains traction:
It will take time for the discussion paper to be developed into a set of concrete amendments for the PDPO. The proposed amendments provide a valuable opportunity to update Hong Kong's data protection laws both to reflect international standards, and to apply the lessons learnt in the implementation of other data protection laws elsewhere in the world. For data users, there is much to be gained in being well informed on the changes to the PDPO – both by contributing to the consultation process and in being well-prepared to respond operationally to such changes.
Paul Haswell, Jennifer Wu and Thomas Ho are Hong Kong-based experts in data protection law at Pinsent Masons, the law firm behind Out-Law.
Out-Law Analysis
10 Jun 2016