Feature Interview with Privacy Commissioner by Hong Kong Student Law Gazette
ICT Revolution: Hong Kong’s Shield of Personal Data Privacy in the Era of Big Data
Feature interview with the Privacy Commissioner - Ms. Ada Chung Lai-Ling
I. ROLE AND RESPONSIBILITIES:
1. WHAT IS YOUR TYPICAL DAY LIKE? WHAT ARE THE MAIN RESPONSIBILITIES YOU CARRY SINCE ASSUMING THE POSITION AS THE PRIVACY COMMISSIONER FOR PERSONAL DATA (“PRIVACY COMMISSIONER”)?
I have a very tight schedule almost every day rushing in and out of meetings.
To start my morning, I would read the news highlights prepared by my media team because very often there are issues related to privacy with which we have to keep track and deal. We receive and handle quite a lot of enquiries relating to various aspects of life, such as the LeaveHomeSafe App (“安心出行”) and the use of social media and instant messaging apps. We also hold media briefings on our work, and recently we have hosted one on the topic of Artificial Intelligence (“AI”) in August. [1]
In terms of daily routines, I supervise in person the handling of more complicated complaints and compliance work. With the basic groundwork done and prepared by my colleagues, I would look at the complicated or more sensitive cases before a final decision is made.
Another important part of our work is advising other government departments, private and public entities on their services or new initiatives. A case in point is the Government’s Cash Payout Scheme where privacy issues were raised as to whether the data collected from the last exercise should be used to effect payment this time.
Other than that, more recently, I have been very engaged in a legislative amendment exercise. The 2021 Personal Data (Privacy) (Amendment) Bill (the Amendment Bill) was introduced on 21st July by the Government into the Legislative Council of Hong Kong (“LegCo”). Therefore, I am required to attend the bill’s committee meetings at LegCo from time to time.
On top of these, I also oversee the office management, the handling of personnel matters and promotion projects of my office. Indeed, I have a lot on my plate.
2. HOW AND WHY DID YOU DECIDE TO TAKE UP THE APPOINTMENT AS THE PRIVACY COMMISSIONER?
It is primarily because of a firm conviction that the work of the Privacy Commissioner is interesting and challenging.
Owing to the rapid technological development and the rising expectations of privacy from the public, I do believe that privacy issues and related laws and regulations will be in the spotlight for the next decade.
In the Mainland, the Personal Information Protection Law, the first piece of legislation dedicated to the protection of personal information, was passed by the Standing Committee of the National People’s Congress on 20 August 2021 and will be effective from 1 November 2021. Globally, you have to handle and consider privacy issues in the light of AI development. We have just issued the “Guidance on Ethical Development and Use of AI”. In terms of legislative development, various countries are also tightening up the regulations - that’s why Hong Kong should also review and amend our privacy law- the Personal Data (Privacy) Ordinance (“PDPO”), for one thing, to combat doxxing. After the current amendment exercise, we would proceed to carry out an overall review of the PDPO.
3. WHAT ARE SOME ELEMENTS YOU HAVE BROUGHT FROM THE COMPANIES REGISTRY TO THE OFFICE OF THE PRIVACY COMMISSIONER FOR PERSONAL DATA (PCPD)? IF ANY, WHAT PART(S), IN YOUR OPINION, HAD TRANSPLANTED WELL?
The most related aspect would be my experience in legislative amendment as head of the Companies Registry (“CR”). While serving as the Registrar of Companies, I engaged heavily in the rewriting of the Companies Ordinance. For law students, you might be very familiar with Cap. 622 (Replacing Cap. 32), which now includes over 900 sections. It took me and my fellow members in the whole team over 6 years to rewrite the entire Companies Ordinance. Furthermore, we worked on 12 pieces of new subsidiary legislation all together on top of the primary legislation. From the very beginning till the end, I participated in all the consultations and the drafting work and oversaw a team of lawyers to work on the project. We managed to complete the whole project on time and implemented it smoothly in 2014 (7 years ago), without major complaints. With this background, I am confident to say that I have abundant experience and expertise in handling a mammoth legislative exercise, and I do believe that this expertise would be of help if I were required to carry out any reviews or amendment of the privacy law.
Another angle would be my familiarity with complex IT systems in the CR that catered for the needs of electronic incorporation of companies, electronic search of company information, and electronic filing. CR was one of the first departments that introduced mobile filing, meaning that company filing can be done on your mobile phone nowadays.
It might come as a surprise to many that technological advancement always poses risks to privacy. That’s because the collection, processing, storing, and erasure of data by electronic means often involve personal data, and therefore the provisions of the PDPO have to be complied with.
4. WHAT ARE THE MOST ENRICHING AND DISTINCTLY THE MOST CHALLENGING ASPECTS OF YOUR CURRENT ROLE?
The PCPD’s work in combating doxxing is a very challenging aspect of my work. The Amendment Bill would confer criminal investigation and prosecution power on the Privacy Commissioner. Therefore, it is an entirely new area of work for most of our colleagues. We must do quite a lot of preparation and internal training and enhance our collaboration with the police for the enforcement of the new law. Admittedly, it is a daunting task. Yet I firmly believe that we can rise to the challenge.
Another piece of challenging work is to amend the privacy law in a very short period – to enhance protection against doxxing. You may recall that the Chief Executive announced in February this year that the privacy law should be amended. We provided support to the Government and burned the midnight oil over the past few months to produce the Amendment Bill in July - in the hope of having the Amendment Bill enacted within this legislative session.
II. SPECIFICS ABOUT DATA & PRIVACY ISSUES AND DEVELOPMENT:
5. THE INTERNET IS A PERMANENT PLACE IN THE SENSE THAT IT IS HARD TO TOTALLY ERASE ONE’S HISTORICAL INFORMATION ONCE IT GETS POSTED. WHAT’S YOUR VIEW ON THE “RIGHT TO BE FORGOTTEN”? MAY THE DATA SUBJECT REQUEST TO HAVE HIS/ HER “BAD HISTORY” REMOVED?
I entirely agree that once a piece of data is posted on the internet, it actually becomes a permanent footprint. Therefore, I always advise netizens to think twice before they disclose or post any information on the Internet.
On the “Right to be Forgotten”, it was formulated by the Court of Justice of the EU in the Google Spain case. In 2014, the court affirmed an individual’s right to compel a search engine to de-list certain search results related to that individual in question as the search links would compromise his position. After the ruling, there were subsequent questions and issues as to whether the “Right to be Forgotten” is an absolute right and whether it should be balanced against some other rights. In 2018, it was enshrined in Article 17 of the General Data Protection Regulation 2016/679 (“GDPR”) as the “Right to Erasure”.
There are several points to note regarding the “Right to be Forgotten”:
· It is not simply de-listing or deleting certain search results but the removal of a data subject’s information. Given that the right is not absolute, it is subject to such conditions as “the data is no longer required for processing” and “the relevant data subject has already withdrawn his or her consent so as to evoke the “Right to be Forgotten”. That said, there are many other exemptions based on “public interest” as provided for in the GDPR.
· The “Right to be Forgotten” per se is quite controversial, and should be exercised carefully on a case-by-case basis.
· Although we do not have such express right in Hong Kong, personal data should not be kept longer than is necessary under the PDPO, as provided in section 26 and Data Protection Principle 2(2) of the PDPO.
6. WHEN WRITING THE NEW COMPANIES ORDINANCE, WHAT WERE THE MAIN FACTORS YOU TOOK INTO CONSIDERATION? IN PARTICULAR, WHICH ISSUES DOES THE NEWLY DRAFTED VERSION ADDRESS REGARDING THE DATA AND PRIVACY ASPECT?
In re-writing the Companies Ordinance, we had four main objectives in mind:
1. Ensure better regulation
|
For instance, one of the proposals then was to modify the inspection regime of the Companies Register, so that sensitive personal data of a company’s officer would not be subject to unrestrained access by the general public.
|
2. Facilitate business
|
Various administrative procedures of companies were streamlined. |
3. Enhance corporate governance
|
New provisions on director’s duties to clarify the law were introduced.
|
4. Modernise the law
|
The new law has been re-written in plain and simple language.
|
The provisions which introduced a modified inspection regime were not brought into operation in 2014 owing to controversy at the time. However, given the heightened concerns about personal data privacy, the Government revived the proposal earlier this year, and the modified inspection regime has been brought into effect in phases starting from 23 August 2021.
7. EACH COMPANY HAS ITS OWN PROTOCOL FOR STORING AND CONSERVING CUSTOMER OR CLIENT INFORMATION. IN YOUR OPINION, WHEN HANDLING SUCH DATA, WHAT ARE THE KEY CHARACTERISTICS THAT MAKE A STRONG AND SECURED “DATA AND PRIVACY POLICY’ THAT MIGHT BE IMPLEMENTED BY A PRIVATE FIRM?
The way I see it, there is not a single solution that fits all. We have to look at the type of business in question and consider what type of personal data privacy policy they should adopt. But I would say that there are some overarching principles which companies should take into account, and which I strongly encourage them to implement.
First, I strongly appeal to companies to adopt a Personal Data Privacy Management Programme (PMP) which includes appointing a Data Protection Officer (“DPO”) and establishing and maintaining a personal data inventory. Companies should also cultivate a corporate culture that respects and protects personal data right from the board room, and incorporate, for example, privacy-by-design and privacy-by-default in developing any new products or services.
Companies should also formulate data retention and data erasure policies. From our experience, some organisations do not have any data retention policy at all. Once they receive personal data, it ends up being stored in the organisation forever – a practice clearly in breach of the Data Protection Principles under the PDPO. Recently, we have released an inspection report on two major public utility companies, namely The Hongkong Electric Company, Limited and CLP Power Hong Kong Limited. After examining their personal data systems, we were glad to find that both companies had implemented a PMP and adopted good practices in safeguarding data. To further enhance the protection of personal data privacy, we advised those two companies to enhance the control on the access to their database system.
Last but not least, we strongly encourage companies to appoint a DPO, as the DPO will act as the central coordinator and responsible officer in implementing the PMP.
8. RECENTLY, WHEN USERS DOWNLOAD NEW APPS, THEY RECEIVE A MESSAGE IF THEY WOULD LIKE TO HAVE THEIR ACTIVITIES TRACKED OR NOT. NOW, IN RELATION TO YOUR ARTICLE TITLED “USE OF SOCIAL MEDIA AND INSTANT MESSAGING APPS – A PERSONAL DATA PRIVACY PERSPECTIVE”, YOU STATE: “ALTHOUGH MOST OF THE SOCIAL MEDIA PLATFORMS AND INSTANT MESSAGING APPS PROVIDE THEIR SERVICES FOR FREE, IT IS IMPORTANT FOR THE USERS TO KNOW, AND RECOGNISE, THAT ALMOST INVARIABLY THEY ARE GIVING UP OR SHARING THEIR PERSONAL DATA, INCLUDING INFORMATION ON THEIR ONLINE BEHAVIOUR AND BROWSING HABITS, ETC., TO THE RELEVANT PLATFORMS OR APPS IN RETURN FOR THE USE OF THE SERVICES.” AS A FOLLOW-UP, WHAT TYPE OF “PERSONAL DATA” ARE WE GIVING UP WHENEVER WE DO USE THESE APPS SUCH AS SNAPCHAT, FACEBOOK, OR INSTAGRAM ETC., THAT WE OURSELVES MIGHT NOT BE AWARE OF?
I wrote that article as I am deeply convinced that it is important to raise public awareness of the fact that the use of social media carries inherent privacy risks, especially when even young children are using social media today. The situation is not healthy because people are using social media without an awareness of how much personal data they are giving up.
On an occasion, Mr. Jack Ma claimed that the most valuable asset of Alibaba is the data. Little do users of social media realise that they are giving up all types of data in return for the use of social media. While users might know that they are providing data for the relevant platform in the registration process, they might not be aware of the fact that they are giving up some other data, such as their browsing habits or locations when they surf the Internet. This is particularly true for youngsters, as most of them are more than happy to share their posts or photos online.
In the past two years, there has been a significant increase in telephone scams and online scams. Over the past year, there has also been a surge in online scams targeting children. One of my main focuses this year is children’s privacy. Understandably, children are not always vigilant about the protection of their personal data and sometimes might even share their parents’ personal data without their consent. They can become easy targets for fraudsters or other people with malicious intentions.
If you look at our publicity materials, we always advise the general public to think twice before they post any materials online, as it would leave a permanent digital footprint.
9. WHAT FACTORS DETERMINE WHEN THE PCPD TAKES ACTION IN RESPONSE TO ACTIVITIES OF A PRIVATE FIRM. SPECIFICALLY, WHENEVER PRIVATE FIRMS OR SOCIAL MEDIA COMPANIES DO INTRODUCE INITIATIVES IN HONG KONG, SUCH INITIATIVES LIKE THE COLLECTION OF PEOPLE’S DATA OR A CHANGE ON THE TYPE OF DATA COLLECTED, WHAT DETERMINES WHETHER THE COMMISSIONER SHOULD ACT OR NOT?
In the past year, we intervened on one or two notable occasions that served to shed light on the criteria we adopted when deciding to act. One was whether the incident affected a huge number of Hong Kong citizens and involved a huge amount of personal data. In those cases, I would need to look further into the matter. If there is prima facie evidence of some irregularity and great public concern, we have to initiate investigations and make enquiries on those alleged irregularities.
10. MANY SOCIAL MEDIA FIRMS DRAFT USER-FRIENDLY PRIVACY POLICIES TO ENCOURAGE YOUNGSTERS TO READ THEM. IN REALITY, THESE PRIVACY POLICIES ARE NOT ALWAYS READ IN THEIR ENTIRETY. WHAT DO YOU THINK ARE OTHER POSSIBLE ALTERNATIVES TO HELP USERS BECOME AWARE OF THEIR PRIVACY RIGHTS AND HOW THEIR DATA WILL BE USED?
I believe that there are many possible approaches today. If you take a look at the data privacy policy of some commonly used apps, you will notice that it is divided into different sections and sometimes presented with infographics or diagrams. Some tech giants are also adopting similar approaches. The privacy policies might be broken down into different sections with different headings, easy-to-read bullet points, supplemented by graphics and tables, or even videos.
These approaches make it much easier for people to understand the privacy policies of these organisations and I always encourage people to read them. I also believe that my office can do more in promotion so as to encourage companies to introduce a variety of means and make their privacy policies easily comprehensible to all users.
11. IN RECENT YEARS THERE HAS BEEN A TREND OF ‘DOXXING’ ESPECIALLY SINCE MID-2019. DO YOU CONSIDER CURRENT PRIVACY LAWS CAPABLE OF ADEQUATELY ADDRESSING THE THREATS THAT ARISE FROM SUCH A TREND, ESPECIALLY ONLINE? AS WE SURELY NOTICED IN YOUR ARTICLE PUBLISHED IN THE HONG KONG LAWYER’S JULY ISSUE, WHEREIN YOU PROVIDED A NICE DIRECTION OF LIMITING THE SCOPE OF UNRESTRICTED PUBLIC ACCESS, WHAT WOULD BE THE NEXT STEP IN PRACTICE?
The existing privacy law is not adequate in combating unlawful doxxing behaviour. Take, for example, section 64 of the current PDPO, which mainly deals with the disclosure of personal data without a data user’s consent. The section covers scenarios where, for instance, personal data was obtained from a hospital without the consent from the hospital (data user). However, when it comes to doxxing in the cyber world, who is the data user as distinguished from the data subject?
In the Amendment Bill, the proposed new Section 64(3A) would make it a criminal offence for a person to disclose the personal data of another without the data subject’s consent, instead of the data user’s consent, and when the disclosure was made with the requisite intent or recklessness to cause specified harm to the data subject or his/her family members. Apart from these elements for the offence, if any specified harm is actually caused to the data subject or his/her family members, a more serious offence under section 64(3C) might have been committed.
The new foundation would facilitate more effective enforcement. Once we prove that the personal data was disclosed without the consent of the data subject, we can take further enforcement actions. Otherwise, we would have to identify who the data user is in the first place, which is often a very difficult job in the cyber world.
On the question of access to public registers, the Government has a plan to review all the public registers. In 2015, the PCPD published a survey result of ten public registers, and we recommended that access to public registers should not be unrestrained. I welcome the recent move of the Government to tighten up the access to sensitive personal information on public registers, as this move will enhance the protection of personal data privacy. I believe that the Government will strike a reasonable balance between protection of personal data privacy and access to public information.
12. CERTAINLY, THERE IS NO ABSOLUTELY MATURE JURISDICTION TO FOLLOW WHEN IT COMES TO FINDING A PRECEDENT FOR A DATA AND PRIVACY ISSUE AT HAND IN THE CONTEXT OF HONG KONG. YOU MENTIONED THE APPROACHES OF THE UNITED KINGDOM (“U.K.”), SINGAPORE, AND AUSTRALIA TOWARDS OFFICER’S PRIVATE INFORMATION CAN BE OF REFERENTIAL VALUE. ARE THERE ANY OTHER JURISDICTIONS THAT ARE ADVANCED AT A CERTAIN ASPECT OF DATA AND PRIVACY LAW WHICH CAN BE OF REFERENTIAL VALUE TO HONG KONG?
In terms of reviewing the current privacy law, we have been looking at the laws of other jurisdictions, including Australia, Singapore and the U.K. On top of that, we also make reference to the GDPR of the European Union from time to time. The GDPR is now widely recognised as the golden standard of personal data protection. Under the GDPR, the data protection authority has the power to impose hefty administrative fines, up to 4% of a company’s annual global turnover or 20 million euros, whichever is higher. At the moment, my office does not have such power. If the PCPD had power to impose fines, it would make our enforcement efforts much more effective.
Second, under the GDPR, there is a mandatory notification regime for data breach, which again is absent in Hong Kong. This is really important, because unlike what happened in the past, data breaches today may affect hundreds and thousands of people. We do have a strong case to make notifications mandatory so that my office can be notified in the first place and take remedial and rectification actions. Other than that, under the GDPR, it recognises and gives very specific rights to data subjects, such as the right to erasure and the right to withdraw consent or opt out from being subject to automated decisions. They are very detailed rights given to data subjects, which we can consider and take into account in our legislative review exercise.
13. PERHAPS YOU COULD ALSO TALK US THROUGH THE PUBLICATION PCPD RELEASED RECENTLY ON THE DEVELOPMENT OF AI?
While AI is becoming more and more important in Hong Kong, not too many people are aware that the use of AI carries privacy and ethical risks. We see the need to issue the “Guidance on the Ethical Development and Use of Artificial Intelligence” (“Guidance”) to provide some guidelines for organisations when they develop or use AI because at present Hong Kong has no specific legislation governing or regulating the development and use of AI.
In the international arena, the Global Privacy Assembly has already promulgated some ethical principles on the development and use of AI. Back in 2019, Singapore and Japan issued their ethical frameworks in the area. I believe that the Guidance will facilitate the healthy development and use of AI in Hong Kong and empower Hong Kong to become an innovation and technology hub as well as a world- class smart city.
We are set to go further if we can leverage our capability or position as a data hub to develop AI. As to other parts of the world like Singapore and Japan, they have already put this ethical framework in place. There is a need for Hong Kong to do likewise.
Let me give you an example of bias or prejudice. There was a survey in the US concerning the efficacy of facial recognition technique. It was found that the error rate of facial recognition was higher in the proof of dark-skinned population. It was reported that in one incident, a dark-skinned man was mistaken for the defendant of a criminal case and was wrongly arrested and imprisoned. The reason behind was that the system used limited data from dark-skinned people, thereby leading to higher error rates for them.
The Guidance recommends that organisations embrace three fundamental Data Stewardship Values and seven ethical principles when they develop and use AI. We also provide a set of practice guide, structured in accordance with general business processes, and a self-assessment checklist, to assist organisations in managing their AI systems.
III. VISIONS:
14. WHAT DO YOU THINK OF THE PUBLIC’S AWARENESS OF DATA PRIVACY IN HONG KONG TODAY? IF NOT AT AN OPTIMAL STAGE, HOW SHOULD SUCH PUBLIC AWARENESS BE IMPROVED?
In general, the level of awareness is high.
Last year, we commissioned the Social Sciences Research Centre of The University of Hong Kong to conduct a survey on people’s attitude towards the protection of personal data privacy. The survey results revealed that around 80% of the respondents were aware of the privacy settings on their social media accounts. Out of this pool, 80% of them had checked the privacy setting. From our survey report, over 50% of them with social media accounts stated that they would share personal photos or personal opinions with “friends” only. You can see that people are very careful and smart with what they share nowadays.
From our survey results, 98% of the respondents, being the vast majority, had instant messaging apps installed in their phones. Out of this pool, an overwhelming majority of 70% considered the access function to their contact lists to be privacy intrusive. 34% even called it a serious intrusion of privacy.
As one of the focuses of our publicity campaigns over the past year, we have been promoting the message of respecting other people’s privacy, which I believe will help to build a more harmonious society.
15. BEING A LAWYER YOURSELF, ARE THERE ANY STRONG BENEFITS THAT COME WITH THE LEGAL BACKGROUND YOU FOUND AT WORK?
My legal knowledge and experience in implementing the law are of crucial importance to my present role where I have to monitor, supervise and enforce the provisions of the PDPO. As I have abundant experience in legislative amendments, I am able to provide the necessary support and expert input to the Government in the current amendment exercise to the PDPO. My legal background also helps me to discharge the duties of my new role in respect of criminal investigation and prosecution.
16. ANY WORDS TO OUR STUDENTS WHO HAVE PASSION FOR THE DATA AND PRIVACY PRACTICE? HOW SHOULD THEY BE PREPARED FOR THIS SPECIFIC PATH? WHAT ARE THE REQUIRED SKILLS BASED ON YOUR EXPERIENCE?
Data is getting more and more important nowadays, and its importance is exacerbated by the rapid development of technology and electronic media.
Some people say that data is the oil of the 21st century. When it comes to personal data and its management, I would say this is an area which presents ample opportunities for students, whether they are from the Faculty of Law, Engineering or Computer Engineering. The global trend is to enhance the security measures of data, especially those regarding the processing, use and storage of online data.
We had the Industrial Revolution in the 18th century. For the past decade, I would call it an “Information and Communications Technology Revolution”. In a decade ago, few of us had an iPhone, used instant messaging apps or social media. The advancement of technology and the use of online media have brought about fundamental changes in our lives, and this presents huge opportunities for students from all sorts of disciplines.
If you’re talking about skill sets, I think legal knowledge is definitely a fundamental and core element in need. With the rapid development of technology, many jurisdictions are beginning to consider how we should regulate the cyber world.
Meanwhile, I would also encourage students to open themselves up to the development in information technology. The developments in cloud computing, AI and use of facial or voice recognitions are all cases in point. These new developments present a whole range of opportunities in jobs and research capabilities. The 21st century will surely be an era of data and information technology.
[1] Media Statement on 18 August – ‘PCPD Publishes “Guidance on Ethical Development and Use of AI” and Inspection Report on Customers’ Personal Data Systems of Two Public Utility Companies’ - see https://www. pcpd.org.hk/english/news_events/media_statements/ press_20210818.html.