Date: 15 November 2017
Responses to Media Enquiry on General Data Protection Regulation
Thank you very much for your enquiry and our office’s responses are as follows:
-
In light of the implementation of EU General Data Protection Regulation (GDPR) in May 2018 and the effect of the GDPR to Hong Kong businesses, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has conducted a comparative study between the GDPR and the Personal Data Privacy Ordinance (the Ordinance) with the aim of assisting Hong Kong businesses to get a better understanding of the GDPR and assessing whether the Ordinance should be reviewed to catch up with international data protection standards.
-
As the EU is Hong Kong’s second largest trade partner, the new GDPR’s extra-territorial effect suggests that Hong Kong businesses, which offer goods or services to data subjects in the EU or monitor their behaviours (regardless the personal data is processed outside the EU), should be obliged to comply with GDPR’s requirements.
-
The comparative study is still on-going and we shall release the outcome of our study soon, probably early next year in tandem with the publication of our Guidance to businesses. We are planning to conduct related seminars and/or workshops starting from this December.
-
While Artificial Intelligence (“AI”) is bringing revolutionary changes and enormous benefits to the community, we must be mindful of the privacy and ethical implications that may bring, in particular:-
-
Convert data collection – AI relies on massive data input for processing to generate predictions, and the data is collected on a massive scale from a wide variety of sources, and sometimes covertly, without notice to the individuals concerned.
-
Unexpected data use - AI combines datasets from different sources in unexpected ways to generate new data and new insights. Through data mining and analytics, companies may draw insights from seemingly innocuous data to infer intimate personal information which a user may not want to disclose and also may be surprised by the predictions made and applied in ways beyond his imagination. Decisions based on such analytics and profiling may also be unfair or discriminatory.
-
Data retention and security - The use of AI inevitably leads to accumulation of enormous volume of personal data, many of which may be stored in cloud and transferred across regions. This brings the compliance issues about data retention and data security.
-
The aforesaid privacy and ethical implications are also relevant for Insurtech, in which Big Data analytics and AI are applied in designing better and more efficient work processes and new business models for the insurance industry. For example, some insurers have introduced wearable devices and mobile apps to track fitness activities of policyholders of life and health insurance products. Insurers are recommended to conduct privacy impact assessment to identify and address the privacy risks before rolling out the relevant projects or services.
-
As regards the setting up of a centralised insurance claims database, strong justifications are required for the data sharing. Also, the relevant issues and views must be thoroughly considered. Ultimately, it would be a balancing exercise as to whether the public interests involved shall outweigh personal data privacy protection of individuals, and whether the sharing is necessary and proportionate for attaining the purposes. Generally speaking, if a data user controls the collection, holding, processing or use of personal data in Hong Kong, he must comply with the requirements under the Ordinance, including the six Data Protection Principles (DPPs). With respect to the collection and use of personal data:-
-
the personal data, being necessary and not excessive (DPP1(1)), must be collected in a lawful and fair way (DPP1(2)), for a purpose directly related to a function/activity of the data user (e.g. the insurance company); and the data subject (e.g. applicant of insurance product or policyholder) must be duly notified of the purposes of collecting his data (e.g. for sharing in the insurance claims database for fraud detection and prevention) and classes of transferee (DPP1(3)); and
-
personal data shall only be used for the purpose for which the data is collected or for a directly related purposes, unless voluntary and explicit consent is obtained from the data subject (DPP3) or any exemption provision of the Ordinance applies.
-
The six DPPs under the Ordinance cover the entire data lifecycle – from collection, retention, data use, security, to destruction. The principles complement each other in ensuring that the personal data privacy of individuals is duly protected in all stages of data processing. Emphasis of one principle under particular circumstances would not in principle diminish the importance of the others. The PCPD recommends organisations to conduct privacy impact assessments on new proposals or infrastructures that may have impact upon personal data privacy. The Privacy Commissioner has issued the Information Leaflet on “Privacy Impact Assessments” which offers advice to organisations on how to conduct the privacy impact assessments in a pragmatic approach.
-
As regulator, the PCPD will continue its efforts in protecting the personal data privacy right of individuals with respect to personal data through education and promotion, as well as monitoring and supervision of compliance with the Ordinance, and meanwhile keeping abreast of the global personal data privacy development so as to respond promptly to meet the challenges ahead.