Privacy Commissione
The Commissioner's Blog
The Fast Evolving Privacy Landscape (22.01.14)
As the New Year begins, it is interesting to look back and review the significant changes that have taken place in the privacy arena.
'Privacy' was named by Dictionary.com as the word of the year 2013, due in large part to the debate over government surveillance programmes in connection with the Snowden affairs. To a certain extent, it also underlines the growing concern about personal data privacy on the part of both organisations and the general public. This is corroborated by the fact that the number of complaints lodged with my Office in 2013 represents a 48% increase over 2012.
Pervasive Use of New ICTs
The pervasive use of new information and communications technologies ("ICT"s) in today's digital society has also serious implications for personal data privacy. Our investigation into the smartphone app "Do No Evil" last year, the subject of my previous blog, highlighted some of these risks.
Whilst the intelligent use of ICTs holds great promise for enriching the quality of life and enhances productivity, consumer privacy and data security must remain a priority. In this connection, I have made a submission to the government in response to their public consultation on 2014 Digital 21 Strategy1. I commented that from a privacy perspective, ICTs are essentially neutral. What matters are the choices we make when designing and using them. They can be privacy-intrusive or privacy-enhancing. Privacy-enhancing technologies should be adopted as they respect privacy, give effect to the privacy laws and empower individuals.
Embrace Privacy and Data Protection as part of Corporate Governance
Indeed, to assure that privacy and data protection are managed responsibly by an organisation, it is imperative that relevant policies and procedures are well in place in the organisation and they are treated by top management of the organisation as part of its corporate governance responsibilities, rather than leaving the subject to chance. For the past year, I have been pushing the adoption of this concept of accountability in the Government and some other sectors representing the major data users in Hong Kong, namely, banking, insurance and telecommunications.
I am happy to record that slowly but steadily, I have been able to secure a place for privacy in their Boardroom agenda. For example, I organised a CEO breakfast meeting on 17 December 2013 on privacy and data protection and was able to attract the attendance of some 70 CEOs and senior executives from these sectors. Just last week on 17 January 2014 I was invited to speak on personal data privacy at the Government's Heads of Departments meeting chaired by the Chief Secretary, attended by some 90 Bureaux and Department Heads.
For the 17 December CEO breakfast meeting, I invited Mr Richard Thomas, the former UK Information Commissioner to share his views on the importance of data protection from a corporate governance perspective. It was well attended by some 70 CEOs and senior executives.
More Jurisdictions have Data Privacy Laws
Hong Kong is not alone in keeping up with rising expectations of privacy and data protection. For example, while Hong Kong was the first jurisdiction in Asia to have a dedicated piece of legislation on personal data privacy in 1996 when it came into force, the number of other Asian jurisdictions that have similar legislations in force or about to be in force has grown to 10 today. These include South Korea, Macao, Vietnam, Malaysia, Japan, Taiwan, Thailand, Philippines, India and finally, Singapore, our usual benchmarking partner.
Singapore's Personal Data Protection Act 2012 has commenced operation in phases since 2013. It is interesting to note that it provides better personal data privacy than the Hong Kong in two areas.
Sharing experiences and views with other privacy commissioners and privacy enforcement agencies on the privacy concerns arising from the pervasive use of new ICTs.
Do Not Call Registry
Firstly, the Personal Data Protection Commission of Singapore maintains a 'Do Not Call Registry' for consumers to register their telephone numbers for opting out from fax and text messages as well as voice calls. Within a month of operation since 2 December 2013, close to 400,000 numbers have been registered and 75% of the registrants did so for the purpose of blocking marketing messages. By contrast, while the Office of the Communications Authority is maintaining a similar 'Do-not-call' register of telephone or fax numbers, the scope of opting out is restricted to sending of commercial electronic messages.
Person-to-person telemarketing calls are excluded, despite our repeated requests to the Government to incorporate them in the functions of the registry to afford better consumer protection and to bring them in line with the operations of such facility in many countries including the United Kingdom, Australia, Canada, New Zealand, France and the United States.
Regulating Cross-border Flows of Personal Data
The second area concerns the protection of personal data transferred out of a country. Such protection is provided under section 26(1) of Singapore's Act which will come into force in July this year. The relevant provisions provide that an organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the Act.
In a similar vein, section 33 of the Personal Data (Privacy) Ordinance ("PDPO") provides a very stringent and comprehensive regulation of transfer of data outside Hong Kong. It expressly prohibits all transfers of personal data 'to a place outside Hong Kong' except in specified circumstances such as:-
(i) the place is specified by me as one which has in force a data protection law which is substantially similar to, or serves the same purpose as the PDPO [section 33(2)(a)]; and
(ii) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be handled in a manner tantamount to a contravention of a requirement under the PDPO [section 33(2)(f)].
The only problem is that section 33 has not been brought into force since its enactment in 1995 and the Administration has no timetable for its implementation in future. As a result, the current protection for personal data transferred overseas is weak and far from comprehensive. The only legislative provisions in the PDPO are found in the Data Protection Principles ("DPP"s) in Schedule 1 of the PDPO, the contravention of which per se is not an offense:-
(i) Under DPP2(3), if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on its behalf, it must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data.
(ii) Under DPP4(2), it must also adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor.
(iii) In addition, DPP3 requires that a transfer of personal data to another jurisdiction be for the purpose for which the data was originally collected.
The situation of global data flows is markedly different today than in the 1990s when the PDPO was enacted. Advances in technology, along with changes in organisation's business models and practices have turned personal data transfers into personal data flows. Data is moving across borders, continuously and in greater scales. Organisations, including small and medium enterprises, are enhancing their efficiency, improving user convenience and introducing new products by practices which have implications for global data flows. They vary from storing data in different jurisdictions via the 'cloud' to outsourcing activities to contractors around the world. Electronic international data transfers in areas such as human resources, financial services, education, e-commerce, public safety, and health research are now an integral part of the global economy.
Against this background, it is high time for the Government to have a renewed focus on section 33 of the PDPO to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.
1 For the full submission, please visit :
www.pcpd.org.hk/english/files/infocentre/2014_digital_21.pdf