This time last year the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) set out 6 major proposed reforms in a paper presented to the Legislative Council. These proposals – if implemented, would have major implications on companies as they would be required to re-assess their internal compliance policies, particular those companies with international or large scale data operations:
- a mandatory data breach notification mechanism;
- the requirement for a data retention policy;
- introducing the ability for the PCPD to impose direct administrative fines;
- direct regulation of data processors;
- expanding the definition of personal data; and
- regulating the disclosure of other data subjects' personal data.
2020 – surviving the pandemic
However events very quickly took over and in 2020 the work of the PCPD primarily turned on advising on privacy issues arising from the Covid-19 pandemic (e.g. to issue practical guidance on the protection of personal data from WFH arrangements).
It also had to deal with the increased doxxing incidents (i.e. publishing private or identifying information about an individual, typically with malicious intent) arising from the backlash of the 2018 political events in the city.
2021 – a chance to reset the agenda
The PCPD had the chance to reset its strategic focus areas for 2021 in its January report to the Legislative Council. What is interesting about this report is that the PCPD did not directly address the 6 major proposed reforms last year. The PCPD instead set out 5 strategic goals for 2021 as broad development areas being:
- privacy protection amidst technological development;
- promotion & publicity work to raise awareness of data privacy issues;
- enhanced and targeted enforcement;
- continual review of the Personal Data (Privacy) Ordinance (PDPO) against the global privacy landscape; and
- increased collaboration and interactions with international and mainland connections.
"Enhanced and targeted enforcement"
In particular for strategic goal (3), the PCPD intends to focus on enhancing collaboration with other law enforcement agencies and taking enhanced and targeted enforcement measures to prevent and remedy data breaches. In particular, it welcomed the Government’s proposals to introduce a mandatory breach notification system, administrative fines and to enhance the PCPD’s enforcement powers.
This broadly is in line with 6 major proposed reforms (which raised mandatory breach notification and doxxing cases as a concern). However, our first questions are - what will ‘enhanced’ and ‘targeted’ mean? Would this pose additional risk to our tech clients?
Concurrently, we have noticed statements and actions by the Government publicly calling out the rise of doxxing incidents, ‘fake news’ and hate speech behaviour (read more). It seems possible that PCPD could be given ‘targeted’ powers to curtail doxxing activities, or combat behaviours deemed as an abuse of social media (e.g. demand that social media platforms and websites remove offending content) in the future. Given the political climate, this would be a controversial move.
What’s happening next?
Unfortunately the 2021 report did not give us much indication of what might be happening next and when. There is also no mention of timelines, any public consultation papers or draft bills to implement any of the 6 major proposed reforms canvassed last year or further action plans to the 5 strategic goals.
We also await further movements from the Government’s pivot in combatting the rise in doxxing, hate speech and “fake news” behaviours. In the past one to two years, we are aware that PCPD has from time to time reminded operators of relevant websites, online social media platforms and discussion forums to take steps to prevent their platforms from being abused as a tool for infringing personal data privacy. It has also requested the operators concerned to issue on their platforms warnings to netizens that doxxing behaviour may violate the PDPO.
Given the ‘toothless’ efforts by the PCPD to date, we expect to see a proposal addressing doxxing and giving the PCPD related enforcement powers to be submitted to the Legislative Council sometime this year.
What does this mean for the tech sector?
While it remains to be seen as to what will come out of the PCPD pipeline, one thing is for sure - companies processing personal data should be on notice that the PCPD is looking to get back on track after the Covid-19 crisis. It will be re-focus on evaluating the adequacy of the HK data regime against HK’s local needs as well as to keep step with global developments.
The extent of the reforms may not be clear, but tech companies should not sit too comfortably as the reforms – whatever the trigger may be – will likely have effects on their commercial risk appetite and choice of data collection activities. We are expecting requirements such as the need for new compliance processes, the duty to assist with investigations of the PCPD, and the potential need to monitor online content which may come into play depending on future developments. We will be watching with interest and will keep you updated.