Date: 20 September 2017
Privacy Commissioner Responses to Media Enquiry on The Position of the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”) on the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) and Its Impact on Hong Kong
Thank you very much for your enquiry regarding the position of the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”) on the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) and its impact on Hong Kong. Our consolidated responses are as follows:
· As the EU is Hong Kong’s second largest trade partner, the new GDPR’s extra-territorial effect suggests that Hong Kong businesses (including banking and financial institutions) which offer goods or services to data subjects in the EU or monitor their behaviours (regardless the personal data is processed outside the EU) should be obliged to comply with GDPR’s requirements. Some preliminary observations on the key impact of the EU GDPR are as follows:
o
Accountability - The GDPR will require data controllers to implement appropriate technical and organisational measures (e.g. privacy by design on data protection, conduct compulsory data protection impact assessments, designate data protection officer) to ensure compliance.
o
Consent – Consent from data subjects must be freely given, specific and informed, and provided by an unambiguous and by a clear affirmative action.
o
Mandatory data breach notification – Data controllers must notify, without undue delay, the supervisory authority of data breach incidents, and as well the affected individuals if the data breach is likely to result in a “high risk to the rights and freedoms” of the individuals.
o
Sanctions - The maximum administrative fines available under the GDPR can be reached to €20 million or 4% of annual global turnover.
· In light of the implementation of EU’s GDPR in May 2018, organisations in Hong Kong are encouraged to adopt the Privacy Management Programme (“PMP”) which the Privacy Commissioner has been advocating for the past few years. The Programme encourages organisations to embrace personal data privacy protection as part of their corporate governance responsibilities, and implement it by a top-down approach, marking a shift from compliance to accountability. They may also adopt a privacy-by-design approach to cope with the privacy risks and incorporate personal data privacy protection from the beginning. A
best practice guide was issued in 2014 that outlines the baseline fundamentals or components of a PMP, and discusses how to maintain and improve a PMP on an ongoing basis.
· In the meantime, the office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) is conducting a comparative study of the changes to be implemented under the EU new regime and the Personal Data (Privacy) Ordinance with a view to reviewing the need to recommend changes to enhance the personal data privacy protection in Hong Kong. The observations of the study will be shared when available.
· The Personal Data (Privacy) Ordinance is technology-neutral and principle-based, allowing the Privacy Commissioner to strike a balance to handle occasions that embrace technology development and innovation while protecting and respecting personal data of individuals. The PCPD will continue its efforts in protecting the personal data privacy right of individuals with respect to personal data through education and promotion, as well as monitoring and supervision of compliance with the Personal Data (Privacy) Ordinance, and meanwhile keeping abreast of the global personal data privacy development.
(The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong)