Feature Interview with Privacy Commissioner by PaRR
Hong Kong PCPD places 'doxxing' high on 2022 enforcement agenda, says official
-
Reported incidents of online harassment up since PDPO amendment in Oct
-
PCPD to re-sign MoU with Singapore counterpart in second quarter
Hong Kong’s Privacy Commissioner for Personal Data (PCPD) Ada Chung said her office would continue prioritizing the enforcement of regulations against 'doxxing', which is the practice of exposing personal information online with malicious intent, and “proactively” monitoring online misconduct in 2022.
Following the implementation of doxxing regulation on 8 October last year, the regulator had launched 25 investigations related to the misconduct as of 31 December 2021, two of which were completed within the year, the official told PaRR.
As reported, the PCPD handled a total of 842 doxxing cases in 2021, representing a 19% drop from 2020. The practice became one of the uglier features of the popular unrest that rocked the city in 2019.
After the regulation came into force, the agency received an average of 60 doxxing cases per month, almost 7x that received prior to the law being amended, Chung said, attributing the upward trend to increased public awareness.
Since the latest Personal Data (Privacy) Ordinance (PDPO) amendment also empowers the PCPD to demand the removal of doxxing messages, the regulator has issued over 350 notices to 12 platforms calling for the deletion of messages as of 31 January 2022. The success rate was roughly 60%, the Commissioner highlighted, noting a compliance rate of 100% for local platforms but a less robust response among international platforms.
It comes as no surprise that, according to Chung, the PCPD is keen to liaise with counterparts overseas to take follow-on actions aimed at enhancing enforcement.
The regulator started co-chairing Global Privacy Assembly’s (GPA) International Enforcement Cooperation Working Group in 2021, through which it hopes to help data protection authorities set priorities and directions in terms of international enforcement, Chung noted.
The group is currently working on some projects that will be “meaningful” for international collaborations as the need for international efforts in enforcement has been proven with data becoming de facto borderless, she said, declining to disclose more information on the projects due to the sensitivity around enforcement issues.
Meanwhile, the PCPD is in talks with Singapore’s Personal Data Protection Commission (PDPC) to update the memorandum of understanding (MoU) the parties signed in 2019, Chung told this news service.
The new MoU will expand the scope of cooperation and collaborations between the two authorities in light of developments over the past two years, she added, saying the re- signing is likely to take place in the second quarter of 2022.
In the year to come, the PCPD also expects to continuously advise the government and public sectors on issues related to Covid-19, Chung said. Especially if the pandemic is over, the regulator anticipates playing an active role in advising border re-opening and economic recovery, Chung added.
As previously reported, the authority will also pursue further amendments to the PDPO as technology has rapidly evolved over the past two years and the agency itself has also matured with more enforcement experience.
Hong Kong privacy regulator to pursue more PDPO amendments, says Commissioner
-
Agency reviewing proposal made in early 2020; additional changes mulled
-
New cross-border data transfer guidance will be available in Q2 this year
Hong Kong’s data privacy regulator is expecting to make additional changes to the island city’s Personal Data (Privacy) Ordinance (PDPO), presenting a proposal to the Legislative Council on the matter in 2022, its top official told PaRR in an exclusive interview.
The agency is currently reviewing the proposal made in early2020, when five other amendments – apart from a regulation on doxxing, the practice of tracking down and maligning someone online, which was prioritized by the government and became effective on 8 October, 2021 – were pondered, said Ada Chung, the Privacy Commissioner for Personal Data (PCPD).
As previously reported, the proposed changes included expanding the definition of personal data; additional regulation on the retention of personal data; mandatory data breach notification; directly regulating data processors; and more enforcement and prosecution power granted to the PCPD.
Among others, the direct data processors regulation will require substantive changes to the law such as the inclusion of a definition of data processors, Chung noted.
The existing law is not capable of coping with incidents which involve third parties in terms of chain of evidence, proof of evidence and sequence of events, a former Privacy Commissioner previously flagged, saying that a direct regulation will help explain gaps in certain cases and reduce the burden placed on data controllers.
Moreover, the PCPD is considering additional updates including introducing administrative fines and rules for cross-border data transfer, the official said, stressing the review is ongoing and has not been finalized.
The regulator sees the necessity to explore further amendments to PDPO as technology has rapidly evolved over the past two years and the agency itself has also matured with more enforcement experience, she added.
Meanwhile, the data protection authority is endeavouring to introduce a new guidance on cross-border data transfer which will include some recommended model contractual clauses for businesses, particularly small and medium-sized enterprises(SMEs) in Hong Kong, following the standard contractual clauses(SCCs) updated by the European Commission last year, Chung told this news service.
The existing guidance on international transfer was published in around 2000 and designed to serve multinational companies, she said, expressing hope the upcoming guidance will fill the gap between international firms and SMEs.
The guidance note should be published in the second quarter of this year, she anticipated.
Despite being one of the earliest jurisdictions in Asia to introduce a data privacy protection legislation, Hong Kong has yet to enact PDPO’s Section 33 which restricts the transfer of personal data outside the city, due in large part to resistance from the business community.
When asked whether Hong Kong will participate in Asia-Pacific Economic Cooperation's (APEC) Cross Border Privacy Rules(CBPRs) framework -- under which organizations in recognized jurisdictions are free to transfer data to one another -- Chung said the agency will keep the option under review but that the matter requires discussion on a governmental level as the Hong Kong government is an APEC member state, not the regulator itself.
In addition, mainland China is not yet a signatory to the CBPRs, hence discussions with mainland authorities might also be needed should Hong Kong decide to pursue this opportunity, she added.