DPOC

PCPD e-Newsletter

A conversation with the Privacy Commissioner on regulations and laws on personal information protection in the mainland of China

Personal information protection in the mainland of China is not a China-only issue. Enterprises, large and small, Chinese and multi-national, are impacted. With the promulgation and ongoing release of various laws, regulations and draft measures, the privacy and personal information of the general public are protected in a greater and more extensive extent. However, owing to the multiplicity of regulations on the protection of personal information in the mainland of China, enterprises looking for business ventures in this emerging market are encountering compliance challenges.

As a first instalment of a series of interviews on this subject, the editor of PCPD e-Newsletter has talked with the Privacy Commissioner Mr Stephen Kai-yi WONG, who will share with us his take on the latest development of personal information laws and measures in the mainland.

E: Editor of PCPD e-Newsletter
PC: The Privacy Commissioner Mr Stephen Kai-yi Wong

E: What are the differences between personal data privacy legislation in Hong Kong and the mainland?

PC: The legislative models for the protection of personal data privacy in various jurisdictions can be roughly divided into two categories, namely "decentralised legislative model" and "uniform legislative model". Mainland uses the "decentralised legislative model", which means personal data privacy regulatory safeguards are scattered in a number of laws and regulatory documents. Hong Kong, on the other hand, is a typical example of the "uniform legislative model". We have a piece of rather comprehensive personal data privacy protection legislation.

E: Can you name some examples of sanctions imposed by the mainland regulatory authority in relation to breach of personal data privacy?

PC: In August 2014, a company, run by two foreigners, illegally collected, purchased, and resold personal data related to Chinese citizens. They were eventually sentenced to imprisonment and fined heavily by the court. In early 2018, a leading internet platform in China was prosecuted for illegally collecting consumer personal data, and the case did not end until the platform completely removed all functional technology softwares that violated personal data privacy.

E: What is the latest development of personal data privacy legislation in the mainland?

PC: In March 2019, during the second session of the 13th National People's Congress, the Chairman of the Foreign Affairs Committee of the Congress stated that the “Personal Information Protection Law” had been included in the current legislative timetable. I believe the Law will act as a breakthrough in comprehensively laying down the principles and standards relating to personal information protection.

E: What changes would you expect in the personal data privacy landscapes in Hong Kong and in the mainland in the coming five years?

PC: Hong Kong and the mainland have been attaching greater importance to personal data privacy. In Hong Kong, social aspirations for wider and more effective legislative protection have arisen from weaponisation of personal data for doxxing purposes in recent social unrests and from a number of significant data breach incidents in the last year or so affecting millions of people. Just across our boundary, in the mainland where the collection of personal information is even more ubiquitous than in many parts of the world, I think we would see laws and regulations there evolving to be more stringent and ambitious in the letter and in the spirit.

That said, the two systems in this one country will never lose sight of the importance of the significance of the flow and protection of personal data at the age of the internet. I envisage an ever-increasing interest in mainland's personal data protection regulations, which will in turn contribute to enhancement of the interoperability of the global personal data protection regulatory framework, as well as to promote cross-boundry/border data flow and the development of the data economy in the future.

Interviews with other experts on the subject will follow in this new series. Please stay tuned.

Introduction to the Regulations in the Mainland of China Concerning Personal Information Involved in Civil and Commercial Affairs

A booklet entitled “Introduction to the Regulations in the Mainland of China Concerning Personal Information Involved in Civil and Commercial Affairs” (Chinese only) was published on 11 December 2019. To take full advantage of the vast online market in the mainland of China, one should not ignore its network supervision policies and related regulatory restrictions. PCPD hopes that organisations and enterprises having connections or business relationships with the mainland of China would benefit from the booklet, which helps them master relevant laws and regulations, thereby boost the development of the Greater Bay Area. Hopefully, the booklet can be a directional guide for innovative technology companies to understand the major updates when developing and applying big data, cloud computing, artificial intelligence and other technologies.

Introduction to the Personal Data (Privacy) Ordinance Seminar
Jan - Jun 2020 seminars are now open for enrolment!

To raise public's awareness and understanding of the Personal Data (Privacy) Ordinance, the PCPD organises introductory seminars on the Ordinance regularly. These seminars can familiarise you with the key elements of the Ordinance, in particular your obligations as data users and your rights as data subjects.

Outline:
- A general introduction to the Personal Data (Privacy) Ordinance
- The six data protection principles
- Direct marketing
- Offences & compensation

Conference on “China Cybersecurity Law” New Legal and Regulatory Updates; Practical Implications and Challenges

The PCPD held “China Cybersecurity Law Conference - New Legal and Regulatory Updates, Practical Implications and Challenges” on 11 December 2019. Adjunct Professor Jason Lau, Regional Lead and Co-Chair of the International Association of Privacy Professionals (IAPP) mcee-ed and moderated the conference.

In his keynote, the Privacy Commissioner Mr Stephen Kai-yi Wong outlined the development of the privacy landscape in the mainland of China, against the historical background spanning from 551BC when the five principles of inter-personal relationships were laid down in Confucianism; 1949 when the People’s Republic of China was born; 1979 when he set his first footprints in Shenzhen where the tallest building was only six-storeyed; to 2019 when the mainland’s mobile data traffic accounted for 31% of the total in the world.

Another keynote speaker, Attorney Barbara Li, Partner of Norton Rose Fulbright, Beijing, walked the audience through an overview of the latest development of the cybersecurity laws and regulations in the mainland, with illustration by real-life cases, notably addressing the far-reaching implications of the localisation requirement in respect of Critical Information Infrastructure. Among other things, she made the insightful remark that contrary to the general perception, most of the legal requirements are already in place and being enforced.

In the panel discussion, the two keynote speakers were joined by Mr Allen Ting, Senior Legal Counsel of Huawei, and Mr Bernard Tan, Chief Counsel, Cybersecurity of SAP. Sharing his experience in ensuring cybersecurity in the design of new products, Mr Ting explained the meticulous dual vetting process taking place in his company. Describing himself and other members of his team as “enablers”, Mr Tan emphasised the multi-disciplinary nature of cybersecurity projects, the success of which needs upwards and lateral buy-in’s within the enterprise.

The conference for the first time brought together members of DPOC and IAPP to have 1.5 hours of effective immersion in the subject and happy networking over refreshment. The over 100-stong audience comprised management executives of banking, insurance, legal and other sectors, and legal and compliance practitioners.

Privacy Commissioner Mr Stephen Wong was invited to officiate at the Hang Seng University of Hong Kong 2019 (9th) Junzi Corporation Award (6 December 2019)

Privacy Commissioner Publishes “Introduction to the Regulations in the Mainland of China Concerning Personal Information and Cybersecurity Involved in Civil and Commercial Affairs” to Promote Understanding of Personal Data Protection Regulations in the Mainland of China for Business Sector to Grab Business Opportunity in Greater Bay Area’s Massive Online Market (11 December 2019)

TransUnion Data Breach Incident Vulnerabilities in Its Online Authentication Procedures – Personal Data Security Principle Contravened (9 December 2019)

Privacy Commissioner Calls for Global Convergence and Interoperability on Data Protection at the 52nd Asia Pacific Privacy Authorities Forum and Outlines Recent Privacy Landscape Changes in China to International Data Protection Communities (5 December 2019)

Educational talks to senior citizens by Privacy Special Ambassador

To familiarise senior citizens with the potential data privacy risks, the PCPD collaborated with non-governmental organisations to organise elderly talks in elderly centres to share tips on personal data protection in daily life. A talk was held on 6 December and privacy tips for the elderly were shared by our Privacy Special Ambassador Ms Candy CHEA (車淑梅) in person, with over 100 senior citizens attending the talk.

EU to relaunch push to regulate WhatsApp and Skype on privacy

The EU will relaunch its deadlocked effort to more closely regulate internet phone and message services such as WhatsApp, Skype and Messenger.

China punishes 100 apps for breaches of personal information as consumer anxiety rises over privacy

The China Cybersecurity Center said 100 apps, across a range of industries including e-commerce and banking, have been penalised since November

A Deep Dive into Enterprise Blockchain and Our Privacy

What do you think when you hear ‘Blockchain technology’? Bitcoins. That isn’t the only function of Blockchain. Blockchain offers cryptography of data and is used to protect sensitive data. Check out this article by Sourodip Biswas to understand how blockchain helps with data security and factors to consider before development.

Q: What are the privacy risks of Fintech?

A: While Fintech may provide many benefits to both the operators and customers, there are privacy risks associated with the use of Fintech:

- Collection and use of personal data without notice or meaningful consent of the users
- Use of personal data in unfair or discriminatory ways
- Lack of effective means to erase or rectify obsolete or inaccurate personal data
- Data security risks
- Obscurity of the identities of data users and data processors

Q: What are the tips for users of Fintech?

A: A Fintech user is a consumer who uses Fintech for personal purposes. The tips below aim to assist a user in protecting his/her personal data privacy in the use of Fintech: - Carefully read the privacy policies - Critically assess requests for personal data and review privacy settings - Operate the application software of Fintech under a safe environment - Monitor account activities regularly

Extended Reading: Information Leaflets - Fintech

Data Protection Principle 3 – Use of personal data

A government department disclosed complaint details to the Police without the complainant’s consent

The Complaint

The complainant complained to a government department about an obstruction to an emergency vehicle access by a lion dance performance. After he made the complaint, he received a follow-up telephone call from the Police. As the matter he complained about was not under the Police’s purview, the complainant was dissatisfied that the government department had disclosed his complaint details to the Police. He hence made a complaint to the PCPD.

According to the government department, having considered that a permit from the Police was required for holding a lion dance performance, the handling officer decided to refer the case to the Police. The government department also revealed that its standing policy did not mandate officers to obtain consent from the complainant before making a referral. After this incident, the government department had revised its policy so that no referral would be made unless the complainant’s consent has been obtained.

Outcome

It was obvious that the complainant’s concern was about the obstruction caused by the lion dance performance, not about whether the performance organiser had obtained a permit from the Police. In such case, the PCPD considered that the government department had contravened DPP3 by disclosing the complainant’s personal data to the Police without his consent.

The PCPD served a written warning on the government department requesting it to closely monitor staff compliance with its policy in handling personal data, so as to protect the personal data privacy of citizens.

	Extended Reading: Enforcing Data Protection - PCPD 2018-2019 Annual Report (p.68)

Ask before Posting - Privacy Detective Series

One of the series of video teaching netizens to be aware of digital footprint .

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.