Date: 3 May 2018
Response to Media Enquiry on the Review of Personal Data (Privacy) Ordinance
Thank you for your enquiry. Our consolidated response follows:
-
The Personal Data (Privacy) Ordinance (PDPO) is a comprehensive data protection law. When the PDPO was enacted, reference was made to the OECD Privacy Guidelines 1980 and the European Union (“EU”) Directive 1995 on protection of personal data. The Data Protection Principles (DPPs) and the other provisions under the PDPO share common features and principles with the data protection laws in many overseas jurisdictions.
-
The PDPO is also technology-neutral and principle-based, allowing the Privacy Commissioner to strike a balance to handle occasions that embrace technology development and innovation while protecting and respecting personal data of individuals.
-
In light of the upcoming implementation of the EU General Data Protection Regulation (GDPR) in May 2018 and the effect of the GDPR to Hong Kong businesses, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has conducted a comparative study between the EU GDPR and the Hong Kong PDPO with the aim of assessing whether the PDPO should be reviewed to catch up with international data protection standards and assisting Hong Kong businesses to get a better understanding of the GDPR. A booklet European Union General Data Protection Regulation has been issued, with comparison on areas of the major requirements of the GDPR with those set out in the PDPO.
-
The PCPD has its statutory obligation to review the PDOP from time to time and to provide recommendations in a timely manner. The PCPD constantly keeps abreast of the global personal data privacy development, and assesses whether there is a pressing need for any reform in personal data law with a view to striking the proper balance between data privacy protection and other rights and interests, including the free flow of information, freedom of expression and of the press. The PCPD will also continue its efforts in promoting “Protect, Respect Personal Data” culture through education and promotion, as well as monitoring and supervision of compliance with the PDPO.
-
In face of rapid technological developments threatening to annihilate robust law amendments efforts, the PCPD is of the view that regulators should explore the possibility of accountability as the solution. Comprehensive, flexible and responsibility-based, accountability is the crucial framework to strike a balance between data protection and facilitation of businesses and innovation. Increase in sanctioning power is also a means to facilitate effective enforcement.
-
Regulatory framework aside, regulators should consider engaging and incentivising organisations/businesses in cultivating/strengthening the privacy culture, particularly in Asia, by facilitating them in building trust and reputation, observing ethical standards and respecting data of their customers and consumers.
(The information can be attributed to the Privacy Commissioner for Personal Data, Mr Stephen Kai-yi Wong)