PCPD e-NEWSLETTER ISSUE May 2022 |
| |
|
PCPD e-NEWSLETTER ISSUE May 2022 |
| |
|
Privacy Commissioner Attended Meeting of the Legislative Council Panel on Constitutional Affairs to Brief Members on the PCPD's Work in 2021 |
Privacy Commissioner Ms Ada CHUNG Lai-ling briefed Members of the Legislative Council at the meeting of the Legislative Council Panel on Constitutional Affairs on 16 May 2022 on the work of the Office of the Privacy Commissioner for Personal Data (PCPD) in 2021 and its strategic focus this year.
The Privacy Commissioner said that from the commencement of the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) (i.e. 8 October 2021) to 30 April 2022, the PCPD received a total of 368 complaints relating to the new doxxing offences, representing a sixfold increase compared to that before the commencement of the Amendment Ordinance. During the same period, the PCPD initiated 66 criminal investigations. Since the implementation of the Amendment Ordinance, the PCPD has made arrests in 2 cases and has had a joint operation with the Police in another case. Other than the joint operation aforesaid, the Police has made arrests in 4 cases. Overall speaking, the PCPD and the Police have made arrests in 7 cases and 6 persons were arrested. The PCPD has also issued 689 cessation notices to 13 online platforms, requesting them to remove more than 3,500 doxxing messages.
The Privacy Commissioner reiterated that the PCPD will further strengthen its capability in criminal investigation and prosecution, with a view to combatting doxxing acts more effectively. The PCPD will continue to proactively monitor doxxing activities online and take enforcement actions.
Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs. |
|
|
PCPD Issued Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data |
|
PRIVACY COMMISSIONER'S FINDINGS |
PRIVACY COMMISSIONER'S FINDINGS |
Unauthorised Access to an International Fashion Chain’s Customer Personal Data System |
| World Password Day – Prevent Identity Thefts and other Cybercrimes |
|
|
PCPD Laid Charges in the First Arrest Case Relating to Doxxing
|
RECOMMENDED ONLINE TRAININGS |
Webinar on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data
|
Online Professional Workshops
|
Free Online Seminar: Introduction to the PDPO
|
Arrange an In-house Seminar for Your Organisation
|
RENEWAL OF DPOC's MEMBERSHIP
|
|
PCPD Conducted a Joint Operation with the Police in a Doxxing-Related Case |
PCPD Supports the Hong Kong ICT Awards 2022 - FinTech Award |
|
Highlights of the Draft Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Handling of Personal Information《網絡安全標準實踐指南 — 個人信息跨境處理活動認證技術規範》的重點 |
EU: EDPS and EDPB Adopt Joint Opinion on Proposal of Data Act
|
EU: European Parliament Publishes Fifth Briefing on Citizens' Expectations and Future of Data Protection
|
UK: Data Reform Bill Announced in 2022 Queen's Speech
|
Netherlands: Council of States Advises on Criminalising Use of Personal Data for Intimidating Purposes Bill
|
| |
PCPD Issued Guidance on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data
Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the challenges and complexities encountered by local enterprises, especially the small and medium-sized enterprises, in cross-border data transfers are set to mount. This is particular so with the proliferation and advancement of information and communication technology, including big data, cloud computing and data analytics. Against this background, on 12 May 2022, the PCPD issued the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” (Guidance) and provided two sets of Recommended Model Contractual Clauses (RMCs) to cater for two different scenarios in cross-border data transfers, namely (i) from one data user to another data user; and (ii) from one data user to a data processor.
The general terms and conditions in the RMCs are applicable to (i) cross-border transfers of personal data from a Hong Kong entity to another entity outside Hong Kong; or (ii) between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. For instance, the RMCs provide that: - Use/processing: A transferee should only use or process the personal data for the purposes of transfer.
-
Onward transfers: A transferee should not make any onward transfer of the personal data except as agreed by the parties; and should ensure that onward transfers of the personal data meet the requirements of the applicable RMCs.
- Security: A transferee should apply agreed security measures to the use or processing of the personal data.
-
Retention and erasure: A transferee should retain the personal data only for a period which is necessary for the fulfillment of the purposes of transfer and take all practicable steps to erase the personal data once the purposes of transfer have been achieved.
It is of fundamental importance for stakeholders to shoulder up their responsibilities in protecting the personal data privacy of data subjects, notwithstanding the transfer of data outside Hong Kong. The RMCs serve to provide a practical basis for facilitating transfers of personal data from Hong Kong, enabling organisations to come to a clear agreement for transferring personal data in line with the requirements of the Personal Data (Privacy) Ordinance (PDPO) and good data ethics.
Please click here to read the “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data”. |
For the sake of facilitating a better understanding of cross-border data transfers among relevant stakeholders, the PCPD is organising a webinar on "Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data" on 27 June 2022. Please click here for registration and event details. |
|
|
PRIVACY COMMISSIONER'S FINDINGS |
Unauthorised Access to an International Fashion Chain’s Customer Personal Data System |
An international fashion company reported to the PCPD that its customer personal data system for e-commerce customers and loyalty programme members suffered a ransomware attack. As a result, about 200,000 customer records containing names, telephone numbers, email addresses, genders and age ranges were compromised. The company engaged an independent consultant for investigation, which revealed that the company had failed to identify a known exploitable vulnerability. The attacker successfully logged into the customer personal data system with valid credentials and installed ransomware in the company’s network.
Remedial Measures The company took the following remedial measures: - Notified all affected customers;
- Scanned the system for all identified vulnerabilities and applied patches;
-
Strengthened the detection and protection measures of its monitoring system;
- Enforced multi-factor authentication at login; and
- Defined retention periods and erased obsolete data on an annual basis
Lesson Learnt
Data users should regularly review and monitor security of their networks and test and apply security patches in a timely manner. Data users should also limit the retention period of personal data, which should not be longer than necessary for the fulfilment of the collection purpose. The shorter the retention period, the lower the security risks.
|
|
|
World Password Day – Prevent Identity Thefts and other Cybercrimes
5 May 2022 was the World Password Day this year. Aiming to prevent identity thefts and data breaches, Intel marks this Day to be the first Thursday of May every year to highlight to all internet users in the world the critical need for strong passwords.
That being said, it has been reported that stolen credentials are the major cause of all data breaches. If your password, which is considered as the first line of defence, is not strong enough, you or your organisation will likely be involved in the next data breach incident.
What should we do when we create passwords? Here are some important points you should learn to secure your assets: - Never use common passwords such as 123456 and abc123, which take hackers less than one second to crack
-
Always use complex passwords and change them periodically
- Make sure that the passwords for different services are unique
- Adopt multi-factor authentication wherever possible to gain better protection against hacking attempts
|
| |
PCPD Conducted a Joint Operation with the Police in a Doxxing-Related Case |
The PCPD conducted a joint operation with the Police in a doxxing-related case on 11 May 2022. During the operation, a 23-year-old Hong Kong male was arrested for, among others, suspected contravention of section 64(3C) of the PDPO relating to the offence of “disclosing personal data without consent, causing specified harm to the data subject or his/her family member”.
In March this year, the Police discovered that the personal data of some police officers, over 70 Legislative Council Members and their family members were disclosed on an online social media platform. The personal data included their names, dates of birth, identity card numbers, telephone numbers, residential addresses and office addresses, etc. Seditious messages were also found to have been published on the same social media platform, inciting the assault of Returning Officers, in July 2020 before the Legislative Council Election.
Police’s Cyber Security and Technology Crime Bureau identified a 23-year-old Hong Kong male and arrested him in Sham Shui Po in a joint operation with the PCPD this afternoon. He is suspected of contravening the offence of “disclosing personal data without consent, causing specified harm to the data subject or his/her family member” under section 64(3C) of the PDPO as well as the offence of “conspiracy to incite others to do grievous bodily harm” under common law and the Offences against the Person Ordinance. The Police seized one telephone in the operation. The arrested person is currently under custody. The operation is still undergoing and there may be more arrests.
The PDPO was amended last year to more effectively combat doxxing acts that are intrusive to personal data privacy. The amended Ordinance came into operation on 8 October 2021 and it empowered the Privacy Commissioner to carry out criminal investigations and institute prosecutions. It also conferred on the Privacy Commissioner statutory powers to issue cessation notices. |
PCPD Laid Charges in the First Arrest Case Relating to Doxxing |
The PCPD laid a total of four charges of “disclosing personal data without consent”, contrary to section 64(3A) of the PDPO, against a Chinese male aged 31 (the defendant) on 20 May 2022. The case had its first mention at the West Kowloon Magistrates’ Courts on 25 May 2022.
These are the first charges in relation to the doxxing offence laid by the PCPD since the Personal Data (Privacy) (Amendment) Ordinance 2021 came into operation in October 2021. Background of the case
The defendant was suspected to have disclosed the personal data of two persons without their consents on a social media platform (involving two different groups) in October 2021, amid a money dispute. The personal data disclosed included names, mobile phone number, occupation, residential address and names of their employers. The PCPD arrested the defendant on 13 December 2021, which was the first arrest in relation to a doxxing offence under section 64(3A) of the PDPO. Relevant provisions under the PDPO Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject—
(a) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.
A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for 2 years. According to section 64(6) of the PDPO, specified harm in relation to a person means— (a) harassment, molestation, pestering, threat or intimidation to the person; (b) bodily harm or psychological harm to the person; (c) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (d) damage to the property of the person. |
|
|
Highlights of the Draft Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Handling of Personal Information《網絡安全標準實踐指南 — 個人信息跨境處理活動認證技術規範》的重點 |
On 29 April 2022, the National Information Security Standardisation Technical Committee of the Mainland published the Draft Practical Guidance of Cybersecurity Standards – Technical Specifications for Certification of Cross-border Handling of Personal Information (Draft Guidance), which offers more details regarding certification of cross-border data transfer under the Personal Information Protection Law. This article gives you an overview of the Draft Guidance.
根據《個人信息保護法》,如個人信息處理者需向境外提供個人信息,須先自行作出個人信息保護影響評估1,取得當事人的單獨同意2,以及具備以下一項指定條件3︰ • 通過國家網信部門組織的安全評估;
• 按照國家網信部門制定的標準合同與境外接收方訂立合同;或 • 按照國家網信部門的規定經專業機構進行個人信息保護認證。
《個人信息保護法》實施至今,內地有關部門曾就安全評估和標準合同的要求和規定提出建議(詳見本欄於2021年11月的介紹)。然而,有關個人信息保護認證方面則一直未見太多詳情。 全國信息安全標準化技術委員會於2022年4月29日發布《網絡安全標準實踐指南 — 個人信息跨境處理活動認證技術規範》(徵求意見稿)4《徵求意見稿》),為落實上述《個人信息保護法》下的個人信息保護認證制度提供認證依據5。《徵求意見稿》的徵求意見期已於5月13日結束。 《網絡安全標準實踐指南》(實踐指南)是全國信息安全標準化技術委員會秘書處組織制定和發布的標準相關技術文件,就網絡安全法律法規政策、標準、網絡安全熱點等主題,宣傳相關標準及知識,及提供標準化實踐指引6。一般而言,實踐指南雖不具法律效力,但可成為監管部門開展相關執法工作的依據。
《徵求意見稿》訂明就個人信息跨境處理活動而需事先進行個人信息保護認證的認證機構之基本要求,並指明適用於以下個人信息處理活動: • 跨國公司或同一經濟、事業實體內部的個人信息跨境處理活動;及 • 《個人信息保護法》第三(二)條規定的境外個人信息處理者,在境外處理境內自然人個人信息的活動7。
《徵求意見稿》亦列明個人信息跨境處理活動認證屬自願性質8。關於申請認證方面,跨國公司由其內地的分公司作出申請,而境外的處理者則可透過於內地的專門機構或指定代表作出申請,當中的法律責任由內地的分公司或專門機構/指定代表承擔9。
《徵求意見稿》亦對參與個人信息跨境處理活動的相關方(即透過個人信息保護認證制度向境外提供個人信息的處理者)提出多項要求,當中包括︰ • 相關方之間須簽訂具有法律約束力和執行力的文件,內容須包括所涉及的個人信息類別和範圍、 對個人信息主體權益的保護措施、承諾並遵守統一的個人信息處理規則、確保個人信息保護水平不低於內地個人信息保護相關法規的標準,及承諾接受認證機構監督及內地個人信息保護相關法規管轄等10;
• 相關方應指定由機構內的管理層成員擔任個人信息保護負責人,其職責包括明確個人信息保護工作的基本要求及保護措施等、指導和支持相關人員開展個人信息保護工作,及向機構主要負責人彙報個人信息保護工作情况等11; • 相關方應設立個人信息保護機構,履行個人信息保護義務,防止未經授權的訪問以及個人信息洩露、篡改和丟失、開展個人信息保護影響評估、監督跨境提供個人信息是否按約定的規則處理,及處理個人信息主體的投訴等12; • 進行個人信息影響評估,評估事項包括向境外提供個人信息是否符合法規和對個人信息主體權益的影響,及境外國家和地區的法律和網絡安全環境等對個人信息主體權益的影響等13。
個人信息主體的權益亦受到《徵求意見稿》的保障,當中包括有權要求相關方提供法律文本中涉及其權益部分的副本;對其個人信息的處理享有知情權、决定權,有權限制或拒絕他人對其個人信息進行處理;有權拒絕僅通過自動化决策的方式作出决定;及有權向境外接收方查閱、複製、更正、補充、删除其個人信息等14。 1 《個人信息保護法》第五十五條 2 《個人信息保護法》第三十九條 3 《個人信息保護法》第三十八條 4 關於對《網絡安全標準實踐指南—個人信息跨境處理活動認證技術規範(徵求意見稿)》公開徵求意見的通知及《徵求意見稿》全文︰ https://www.tc260.org.cn/front/postDetail.html?id=20220429181520) 5 《徵求意見稿》摘要(第III頁) 6 《徵求意見稿》前言(第I頁) 7 《徵求意見稿》1 適用情況 8 《徵求意見稿》3 基本原則 9 《徵求意見稿》2 認證方式 10 《徵求意見稿》4.1 法律約束 11 《徵求意見稿》4.2.1 個人信息保護負責人 12 《徵求意見稿》4.2.2 個人信息保護機構 13 《徵求意見稿》4.4 個人信息保護影響評估 14 《徵求意見稿》5.1 個人信息主體權利
|
|
|
RECOMMENDED ONLINE TRAININGS |
Webinar on Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data |
Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the challenges and complexities encountered by local enterprises in cross-border data transfers are set to mount. This is particular so with the proliferation and advancement of information and communication technology, including big data, cloud computing and data analytics. From this webinar, you will understand: - The requirements for cross-border transfers of personal data under the PDPO
- An overview of the recommended terms and conditions in the Recommended Model Contractual Clauses
Date: 27 June 2022 (Monday) Time: 3:00pm – 4:00pm
Speakers: - Mr Dennis NG, Assistant Privacy Commissioner (Legal, Global Affairs and Research) (Acting), PCPD
- Ms Clemence WONG, Legal Counsel (Acting), PCPD
Fee: $300/$240* (*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)
Accreditation: Accreditation of the Law Society of Hong Kong is being sought Language: Cantonese
Who should attend: Legal professionals, Compliance Officers, Data Protection Officers, IT professionals and others who have business operations outside Hong Kong or have business relationships with other regions |
A new series of Professional Workshops on Data Protection (June - July 2022) is now open for enrolment! Check out the new schedule of the Professional Workshops below: |
Online Professional Workshop on Data Protection in Insurance |
This workshop will discuss the key features of “Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry” and relevant privacy issues specific to insurance institutions and insurance practitioners. It will also examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight the potential problems and their resolutions. Date: 8 June 2022 (Wednesday) Time: 2:15pm – 5:15pm
Fee: $750/$600* (*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee) Language: Cantonese
Who should attend: Insurance Practitioners, Data Protection Officers, Compliance Officers, Solicitors, Advisers and other personnel undertaking work relating to the Insurance Industry |
Online Professional Workshop on Data Ethics |
This workshop aims to help organisations understand the data ethics stewardship management value and models, and how to implement data ethics in their daily operations. Ethical use of personal data can improve business reputation and enhance stakeholders’ confidence, thus enabling organisations to fully reap the benefits of the data-driven economy. Date: 15 June 2022 (Wednesday) Time: 2:15pm – 5:15pm
Fee: $750/$600* (*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee) Language: Cantonese
Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices |
Online Free Seminar - Introduction to the PDPO Seminar |
The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. The details of the upcoming sessions are as follows: |
Seminar Outline: -
A general introduction to the PDPO
- The six Data Protection Principles (illustrated with industry-related examples)
- Offences and compensation
- Direct marketing
- Q&A session
|
Arrange an In-house Seminar for Your Organisation |
Teaching employees how to protect the privacy of personal data is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and protecting the privacy of personal data, you can make a request for an in-house seminar via our online form. The outline of this seminar is provided below. Seminar Outline: - A general introduction to the PDPO
-
The six data protection principles (industry-related cases will be illustrated)
- Handling of data breach incidents
- Direct Marketing
- Offences & Compensation
- Q&A Session
Duration: 1.5 hours | RENEWAL OF DPOC's MEMBERSHIP |
Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year! Special offer for organisational renewals: Organisations can join the 2-for-1 scheme, which enables them to receive two memberships for the price of one annual fee (HK$350). Renew your membership now to keep up-to-date with the latest news and legal developments! |
PCPD Supports the Hong Kong ICT Awards 2022 - FinTech Award
Since 2006, the Hong Kong ICT Awards has been recognising and promoting outstanding innovation and excellence in the information and communications technology (ICT) field. Steered by the Office of the Government Chief Information Officer and organised by industry associations and professional bodies, the internationally acclaimed Awards serves to recognise the creativity and drive for solutions of those meeting business and social needs. The PCPD is delighted to support the Hong Kong ICT Awards 2022 - FinTech Award, where The Hong Kong Institute of Bankers (HKIB) has been appointed as the Leading Organiser.
For details, please visit the websites of HKIB and Hong Kong ICT Awards 2022. |
|
|
Contact Us
Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong
Tel: 2827 2827
If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
|
Copyright
Disclaimer
The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.
The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.
If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.
|
|
|
|