In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Alibaba Cloud's ShanShan Pa, CIPP/E, CIPP/US, CIPM, FIP, compares Hong Kong's Personal Data (Privacy) Ordinance with the GDPR.
The data protection law in Hong Kong is the Personal Data (Privacy) Ordinance (Cap. 486). It came into force in 1996, a year after the European Data Protection Directive 95/46/EC, and a lot of the bases are from the directive. The main objective is to protect the privacy rights of a person in relation to personal data (data subject). The Amendment Bill, relating to the regulation of the use of personal data for direct marketing purposes, was passed by the Legislative Council June 27, 2012.
According to the ordinance, “a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.” In this case, the data user is equivalent to the controller role in GDPR, while the third party is similar to the processor role in the GDPR, and under the 2012 amendment, a data processor is defined. The data user, not the third party or data processor, is liable as the principal for the wrongful act of its authorized data processor. This is similar to the Directive 95/46/EC, whereas the GDPR holds both the controller and processor liable. (See the comparison table at the end of the article for details.)
The ordinance includes six data protection principles, and “everyone who is responsible for handling data (Data User) should follow the six Data Protection Principles ("DPPs") which represents the core of the Ordinance covering the life cycle of a piece of personal data.”
DPP1 — Data Collection Principle
The first principle addressed that “personal data must be collected in a lawful and fair way, for a purpose directly related to a function/activity of the data user. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.” Under GDPR Article 5, principles relating to the processing of personal data, the lawfulness, the collection and the purpose are pointed out, as well, although not specifically mentioning notification, but in the “context of a written declaration.”
Data collected should be necessary but not excessive, which was also mentioned in GDPR Article 5 when addressing the adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed per the data minimization principle.
DPP2 — Accuracy & Retention Principle
Under the ordinance, “practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfill the purpose for which it is used.” Accuracy and currency of the information, storage and protection are mentioned in Article 5 of the GDPR. However, GDPR also explains that “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the ‘storage limitation.’”
DPP3 — Data Use Principle
The principle states that “Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.” The ordinance also mentions the situation when a data subject is incapable of providing consent (such as minors, and physically or mentally incapable individuals), a relevant person in relation may give the prescribed consent when dealing with a new purpose. Under the GDPR Article 6 regarding the lawfulness of processing the data, the data subject must give consent to the processing of his or her personal data for one or more specific purposes. However, the GDPR also lists other situations such as the necessity of performing a contract, compliance with a legal obligation, etcetera. The kind of consent was explained in Article 7, which addresses the explicit consent at the beginning of the data life cycle, and not only at the new purpose.
DPP4 — Data Security Principle
One can almost never have privacy without security. The ordinance also states the data security principle that “a data user needs to take practicable steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss or use.” Under the GDPR's Article 32, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate, and those measures also address the areas of confidentiality, integrity and availability of the data. The GDPR also includes provisions for breach notification, which is not noted in the ordinance.
DPP5 — Openness Principle
Per the ordinance, “a data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.” This is also addressed under GDPR under the transparency and modalities as part of the data subject’s rights. Article 15 states that a data subject has the right to “obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” and additional information such as the purpose of processing, the categories of personal data concerned, and the how it will be disclosed, etcetera.
DPP6 — Data Access & Correction Principle
Under the last principle, “a data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.” This is also stated in Article 15 of the GDPR as the right of access by the data subject, and “the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.”
The ordinance also provides exceptions of personal data in the areas such as: held domestic or recreational purposes; access requirement for certain employment related, “likely to prejudice security, defense and international relations; crime prevention or detection; assessment or collection of any tax or duty; news activities; health; legal proceeding; due diligence exercise; archiving; handling life-threatening emergency situation,” etcetera. In GDPR’s Article 6 regarding the lawfulness of processing, it also mentioned that except where such legitimate interests are “overridden by the interests or fundamental rights and freedoms of the data subject” and does not include the processing carried out by public authorities performing their duty.
Here is a comparison of some of the common topics:
Topic | The Ordinance | GDPR |
---|---|---|
Personal Data | Any data: (a) Relating directly or indirectly to a living individual; (b) From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) In a form in which access to or processing of the data is practicable * Examples of personal data protected by the ordinance include names, phone numbers, addresses, identity card numbers, photos, medical records and employment records. | Any information: (a) Relating to an identified or identifiable natural person; (b) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
Data Subject | In relation to personal data means the individual who is the subject of the data. | Relating to an identified or identifiable natural person. |
Controller | "Data User": In relation to personal data, means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law. |
Processor | Part of the 2012 amendment, a Data Processor: (a) Processes personal data on behalf of another person; and (b) Does not process the data for any of the person’s own purposes. Third Party: in relation to personal data, means any person other than: (a) the data subject; (b) a relevant person in the case of the data subject; (c) the data user; or (d) a person authorized in writing by the data user to collect, hold, process or use the data (i) under the direct control of the data user; or (ii) on behalf of the data user. | A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. However, GDPR does also have a definition for "third party": A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. |
Sensitive Data | None | Article 9: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. |
Transfer of Personal Data to third countries or international organizations | No requirements on transfer of personal data to cross-border. | Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if the conditions laid down in Article 44 – 50 are complied with by the controller and processor to ensure that the level of protection of natural persons guaranteed by the GDPR. Transfers on the basis of an adequacy decision and methods such as BCR, Contract Clauses, etc. or in the case of EU-US transfer, the Privacy Shield. |
Data Portability | A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate. | Article 20: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. |
Penalty | Noncompliance with Data Protection Principles does not constitute a criminal offense directly. The commissioner may serve an Enforcement Notice to direct the data user to remedy the contravention and/or instigate the prosecution action. Contravention of an enforcement notice is an offense which could result in a maximum fine of HK$50,000 and imprisonment for two years. An individual who suffers damage, including injured feelings, by reason of a contravention of the ordinance in relation to his or her personal data may seek compensation from the data user concerned. The ordinance also criminalizes misuse or inappropriate use of personal data in direct marketing activities (Part VI); noncompliance with Data Access Request (section 19); unauthorized disclosure of personal data obtained without data user's consent (section 64), etcetera | Under Article 83: • Up to 10 000 000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body. • Up to 20 000 000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etcetera • Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of GDPR in particular for infringements which are not subject to Article 83, and can take all measures necessary to ensure that they are implemented. |
photo credit: Lianqing Li National Flags (China and HK), cropped