A Q&A with Hong Kong Privacy Commissioner for Personal Data Allan Chiang

In the past year alone, Hong Kong Privacy Commissioner for Personal Data Allan Chiang’s office has received nearly 1,500 complaint cases. In this exclusive for

Chiang offers insight into the work of his office, the types of complaints received and the importance of enforcers having the ability to impose sanctions in the event of a breach.

From January to April 2012, the Office of the Privacy Commissioner for Personal Data (PCPD) has received 344 complaints. The majority of these complaints are related to the use of personal data

without the consent of data subjects (157 cases), followed by complaints about the purpose and manner of data collection (135 cases).

In 2011, the PCPD had received 1,486 complaint cases. It represented an increase of 26 percent on the number of cases received in 2010 (1,179) and an increase of 48 percent on that of 2009 (1,001). This drastic increase was largely due to an outbreak of a spate of major privacy intrusion incidents which have raised public awareness and understanding of individuals’ privacy rights concerning personal data to an unprecedentedly high level. The most notable incident involved a smartcard company--the Octopus--transferring the personal data of its 2.4 million smartcard users to a number of partner companies for use in the marketing of the latter’s products and services. Octopus played little or no part in the marketing process but received monetary gains from the partner companies in exchange for the data transfer, without the customers’ knowledge or consent.

Of the 1486 complaints received in 2011, 1,101 cases were made against the private sector, 131 against the public sector/government departments and 254 against individuals. Of the complaints made against the private sector, financial institutions ranked highest in the number of complaints received (200 cases), followed by property management (137 cases) and telecommunications (122 cases). Of these complaints, the majority were related to the purpose and manner of data collection (723 cases), followed by complaints about the use of personal data without the consent of data subjects (681 cases), data security (223 cases), accuracy and duration of retention (125 cases), and use of personal data for direct marketing (119 cases).

Under the Personal Data (Privacy) Ordinance, there is no requirement for public- and private-entities to undertake compliance audits. However, I advocate that corporate data users should not be complacent about just meeting the legal minimum requirements. Through publications, seminars and other channels, I recommend to them to adopt privacy impact assessments and compliance audits in new business initiatives or projects which have significant impacts on personal data privacy.

The ordinance provides for me to undertake investigation in response to a complaint lodged, or if I suspect that there has been a contravention of a requirement under the ordinance. Further, I may on my own initiative inspect a personal data system and make recommendations to the data user concerned for the purpose of promoting compliance with the provisions of the ordinance.

The existing provisions of the ordinance are inadequate in safeguarding personal data protection. In the event of data leakage, data users are not mandated to notify the affected persons. Further, I do not have adequate sanctioning power to ensure compliance with the ordinance. I have no legal authority to mandate mediation between the parties concerned to reach a mutually satisfactory settlement. I have no authority to award compensation to aggrieved data subjects or to impose monetary penalties on data users for contraventions of the Data Protection Principles (DPPs). The aggrieved data subject is left on his own to institute legal proceedings against the data user concerned to seek compensation under the ordinance. Such civil action claims have rarely been brought before the court by the aggrieved data subject. This is understandable due to the high litigation costs relative to the amount of damages to be awarded in normal circumstances.

In fact, contravention of the DPPs is not an offence

. The most forceful action I may take is to issue an enforcement notice to direct the data user to take specified remedial steps within a specified period. Only if the data user contravenes the enforcement notice will he commit an offence. The punitive effect of this arrangement is weak. I may serve an enforcement notice only when a contravention is likely to continue or be repeated. Further, in the event that a data user resumes the same contravening act shortly after compliance with the enforcement notice, I can only issue another enforcement notice. This represents a loophole for data users to circumvent PCPD’s escalation of regulation from issue of enforcement notice to prosecution of an offence.

Where prosecution of an offence is contemplated for contravention of the requirements under the ordinance, including breach of an enforcement notice, I am not empowered to institute prosecutions directly against the data users concerned. Instead, I have to refer suspected offences to the police for criminal investigation and where deemed necessary, to the Department of Justice for prosecution.

To enhance the effectiveness of the ordinance, the PCPD provided the government in December 2007 with a comprehensive package of over 50 proposals to amend the ordinance. I am pleased that a bill has been placed in the Legislative Council since July 2011, and the following amendments to the ordinance, among others, are expected to be passed shortly:

Regrettably, the PCPD’s proposals to acquire the sanctioning powers to award compensation to aggrieved data subjects and to fine the data users for serious privacy contraventions were not adopted by the government.

Obviously, compliance with the ordinance will rule out enforcement action by PCPD.

As explained above, non-compliance with DPPs does not constitute a criminal offence directly. Upon receipt of a complaint, the PCPD will first liaise with the complainant and the party complained against to determine whether a

case of contravention can be established. In the process, PCPD may also try to resolve the dispute through mediation. If the dispute cannot be resolved in this way, the PCPD may carry out a formal investigation. Where this confirms that the data user has contravened a requirement under the ordinance, I may serve an enforcement notice on the data user concerned to direct it to take the necessary steps to remedy the contravention. If the data user has already taken steps to remedy the contravention, an enforcement notice cannot be served.

Non-compliance with an enforcement notice is an offence which attracts a penalty of a fine at HK$50,000 and imprisonment for two years.

As the personal data privacy regulator in Hong Kong, the PCPD was invited by the government to participate in the work of the Data Privacy Subgroup (DPS) of the Electronic Commerce Steering Group (ECSG) under the Asia Pacific Economic Co-operation (APEC) in 2003 to develop a data privacy framework recognized among member economies for the sake of promoting the development and launch of e-commerce and building up consumers’ trust and confidence. The PCPD has played an active role in the work of the DPS of the APEC ECSG. It helps the subgroup finalize the rules and procedures of the APEC Cross Border Privacy Rules System and prepare for the establishment of a Joint Oversight Panel to implement the system. Moreover, the PCPD is a member of APEC Cross-Border Privacy Enforcement Arrangement (CPEA) which comprises the major Privacy Enforcement Authorities from APEC member economies. Membership of CPEA stood at 20 by the end of December 2011. The CPEA facilitates information sharing among members and promotes cross-border co-operation in privacy law enforcement through referrals of matters and through parallel or joint investigation or enforcement actions.

The PCPD is also a member of the International Conference of Data Protection and Privacy Commissioners and a member of the Asia Pacific Privacy Authorities (APPA). APPA provides a forum for exchanging opinions on privacy regulations, new technologies and the management of privacy enquiries and complaints among privacy authorities in the Asia Pacific region. APPA comprises 13 privacy authorities from Australia, Canada, Hong Kong, Mexico, New Zealand, South Korea and the U.S. Members meet twice a year with Hong Kong hosting the June event. APPA has recently voiced out to Google its concerns over Google’s new privacy policies and is still pressing Google to make clarifications and take improvement measures to allay the concerns.

With a view to promoting awareness and understanding of and compliance with the requirements under the ordinance, the PCPD provides an array of promotional activities, public education and professional training.

In regard to community education, the PCPD publishes information leaflets and organizes public seminars on personal data protection on a regular basis (about three times per month). In response to the popular demand for education on the protection of personal data privacy in the use of Internet and advanced communications products, including social networking, a public seminar on the proper use of technology to safeguard personal information is organized every month.

Wise use of the media is made to educate the consumers. A notable recent initiative is the production of a series of docu-dramas featuring some significant privacy intrusion cases and the application of the ordinance in daily life. The drama will be broadcast in television in September 2012.

In May every year, the PCPD partners with members of the APPA to organize the Privacy Awareness Week promotional programmes to raise public awareness of the importance of privacy and data protection.

As regards business education, the PCPD publishes codes of practice and guidance notes to assist data users in compliance with the ordinance. It also organizes a series of professional compliance workshops on data protection, which are tailored to meet the needs of executives dealing with personal data in different work contexts. The workshops are conducted in an interactive manner by PCPD’s own or commissioned trainers covering a wide range of disciplines such as legal, insurance, banking and financial services, human resource management, marketing, IT management and property management. Besides, the PCPD runs the Data Protection Officers’ Club (DPOC), which is a network of data protection offices across all industries. The DPOC provides a platform for data users to obtain first-hand information from the PCPD and share data protection practices with peers from other industries. Further, the PCPD partners with a specific industry every year to provide tailor-made data protection education to members of the industry.

The youth is a primary target of PCPD’s community engagement programme. A Liberal Studies Teaching Kit was compiled to incorporate privacy and personal data protection concepts in the liberal studies curriculum of secondary schools. Special efforts are made to engage young people and sustain their participation in a re-invigorated “Student Ambassador” programme which awakens the young people to the importance of personal data protection through learning and practice and assists them to promote this privacy right to their peers by organizing different activities in their respective schools. A University Privacy Day programme has been launched since October 2011. This is a first-of-its-kind on campus educational programme on promotion of privacy and data protection designed for staff and students of the ten universities and tertiary educational institutions in Hong Kong.