"Data Protection in Digital Revolution" -- Privacy Commissioner's column “Data and Technology” at Hong Kong Lawyer (February 2019)
Technological advancement and use of data
In recent years, we have witnessed parts of metamorphosis of the digital revolution and the evolution of data ecosystems, whereby data is captured and analysed through a collection of infrastructure, analytics and applications. Whilst useful insights are produced, data ecosystems do have a significant impact on our daily lives at a speed that we could not have dreamt of. The continuing innovations in information and communication technology (ICT) including big data, cloud computing, data analytics, robotics, machine learning and artificial intelligence have undoubtedly re-shaped the world we live in. Emerging ICT developments notably in areas such as cashless shopping and open banking invariably bring with them privacy considerations. While the new technology brings us convenience and business opportunities, it also presents unprecedented challenges to the existing regulatory framework in protecting our rights to privacy as well as dignity and autonomy, emerging from uninformed behavioural tracking or profiling, data breach, electronic surveillance and interception, etc.
As a principle-based and technology-neutral legislation, the Personal Data (Privacy) Ordinance (Cap 486) recognises the complex and nuanced nature of privacy, and allows a degree of flexibility in how privacy can be protected in varying contexts, alongside evolving ICT developments and social norms. Seemingly some of the emerging technologies are, however, stretching their limits and are posing challenges to these underlying principles upon which the legislation is based.
The evolving privacy laws
It is now time for us to take a serious look at how the advancement in technology has impacted on the global privacy legal frameworks and landscape, amid the increasing awareness and public interest in the collection, use, security and access to personal data.
For instance, the United Nations High Commissioner for Human Rights outlined the responsibilities of States and business to protect the right to privacy in the digital age in the report to the Human Rights Council in 2018.1 Overseas regulatory authorities, national and regional, have responded to these challenges by reforming or revising their regulation and regulatory frameworks. The newly enforced European Union (EU) General Data Protection Regulation (GDPR)2 introduced the principle of accountability, signifying a gear shift in the normativity and culture of data protection and putting emphasis on accountability. It stresses that personal data belongs to data subjects (individuals), who should have the control over their personal data, but not the data users (organisations). One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is necessary for organisations/ businesses in Hong Kong to ascertain if the GDPR is applicable to them, and hence be complied with.
In Hong Kong, it has been more than 20 years since the enactment of the data privacy legislation based on the OECD Privacy Guidelines (1980) and the EU Data Protection Directive (1995). The GDPR and the development of global privacy landscape, together with the recent data breach incidents, present a timely opportunity to review the law and propose updates as appropriate, with due consideration to be taken of the local circumstances.
Data governance and ethics
In addition to compliance with laws, regulators should foster a culture of genuine respect for personal data to ensure that its protection is realistically effective and sustainable. It is precisely against this background that we place significant emphasis on the issue of data governance and ethics by advocating Data Stewardship Values, namely “Respectful, Beneficial and Fair”, for bridging the gap between legal requirements and stakeholders’ expectations. Data ethics involve genuine choices, meaningful consent, equality and non-discrimination and fair exchange between individuals and organisations. Most importantly, it addresses the question of who should have the control over personal data of consumers while businesses benefit from a level playing field. Organisations should therefore think and act out of the box of compliance simpliciter, and embrace data ethics as part of corporate governance for gaining stakeholders’ trust. Hong Kong is a pioneer advocating data ethics in Asia. We highly recommend interested readers peruse the Research Report on Ethical Accountability Framework for Hong Kong, China commissioned and published by us in October 2018.
1. See The United Nations High Commissioner for Human Rights, The right to privacy in the digital age - Report of the United Nations High Commissioner for Human Rights, 3 August 2018, A/HRC/39/29↩
2. See Information Booklet on European Union General Data Protection Regulation 2016 (Effective 25 May 2018)↩