“Hong Kong can serve as the bridge for data transfers between mainland China and the European countries”
Interview with Prof. Stephen Kai-yi WONG, Privacy Commissioner for Personal Data, Hong Kong
Prof. Stephen Kai-yi WONG is a speaker at European Data Protection Days 2017 on “Observations on the GDPR 2018 from Hong Kong’s perspective”.
Commissioner Wong, what are the latest developments in data protection in Hong Kong and China?
Commissioner Wong: The latest developments in Hong Kong: The data protection law of Hong Kong, i.e. the Personal Data (Privacy) Ordinance (“Ordinance”), was enacted in 1995. In 2012, there were major reviews and amendments to the Ordinance to enhance the protection of personal data privacy of individuals. One of the focuses was to strengthen the regulation on direct marketing and criminal offences were introduced. Under the new regime, a data user is liable to a fine of HK$500,000 and to imprisonment for 3 years if, for example, the data user failed to obtain consent from an individual before using the individual’s personal data for direct marketing. The penalties could be as high as a fine of HK$1,000,000 and imprisonment for 5 years if, for example, a data user, without an individual’s consent, provides the individual’s personal data to a third party for use in direct marketing for gain.
Immediately after the direct marketing reforms came into operation in 2013, the number of direct marketing-related complaints handled by my office increased by 53%. Up to now, there have been seven convictions under the direct marketing regime. Most of the offenders were fined by the courts, except for one who was sentenced to 80 hours of social service order (due to the unique circumstances of the offender).
In recent years, my office has placed more emphasis on stakeholder engagement, in addition to enforcement. For example, in February 2014, my office launched the Privacy Management Programme (“PMP”). Since then, we have been encouraging data users in Hong Kong to implement the PMP, and to embrace personal data privacy protection as part of their corporate governance responsibilities. It represents a shift of corporate governance from compliance to accountability. Up to now, 115 entities have publicly pledged to implement the PMP, which include all the bureaux and departments of the Hong Kong Government, and a number of large organizations from both the public and private sectors, such as telecommunication companies, insurance companies, utility companies, etc.
Another new regulatory strategy of my office is to raise the awareness of the public in protecting their own personal data. A number of educational activities have been carried out. For example, having considered that people in Hong Kong have increasing online presence, my office launched a new TV Announcements in the Public Interest entitled “Stay Smart. Mind Your Digital Footprint” in December 2015 and produced a series of four educational videos in March 2016, calling on members of the public to go online vigilantly, and protect, respect others’ personal data. Moreover, a number of publications were published since 2015 with the focus on online aspects, such as “Protecting Online Privacy – Be Smart on Social Networks” (October 2015), “Children Online Privacy – Practical Tips for Parents and Teachers” (December 2015), “Stay SMART! Protect Your Personal Data – Tips for the Elderly” (January 2017).
Through stakeholder engagement and education, it is hoped that individuals would be vigilant in providing their personal data, keep their data under their own control, and organizations would be accountable for the data they collect and respect the fundamental right to privacy, thereby cultivating a culture of protecting and respecting personal data in the long run.
We also have strengthened cooperation with our counterparts overseas in recent years. For example, my office has participated in the GPEN Sweep every year since 2013, looking into the privacy practices of websites, mobile applications and IoT devices. In 2016, my office made another stride by joining the Executive Committees of GPEN and the ICDPPC, with a view to bring the Asian perspective to the data protection sphere.
The latest developments in Mainland China:
Mainland China does not have an omnibus data protection law yet. However, the elements of privacy and data protection have been incorporated into a number of laws and regulations in recent years. For example, individuals’ right to privacy is recognised in the Tort Liability Law in 2009.
In 2013, the second amendment to the Consumer Rights Protection Law was passed, in which provisions for protecting consumers’ personal data were added, such as the provision that requires personal data to be collected and used in lawful, proper and fair manners.
A more recent legislative step forward is the Cybersecurity Law , which was enacted in 2016, and will come into operation on 1 June 2017. According to the Cybersecurity Law, network operators have to obtain individuals’ consent before processing of their personal data. The uses of personal data by the network operators have to be lawful and proper. The network operators are also required to ensure the security of the personal data in their possession.
Cross-border data transfers are very important for globally acting companies. How would you describe the experience in China regarding global data transfers with European countries?
Commissioner Wong: A major challenge for the cross-border data transfer between mainland China and the European countries is the absence of a comprehensive and omnibus data protection law in mainland China. As such, businesses have to rely on other measures, such as binding corporate rules and bilateral data protection agreements (signed between the transferor and transferee). The matter may be further complicated with the implementation of the Cybersecurity Law in mainland China on 1 June 2017, which contains data localisation requirement.
Given a more comprehensive data protection regime and effective legal system in Hong Kong, together with the strong tie between Hong Kong and mainland China, I believe Hong Kong can serve as the bridge for data transfers between mainland China and the European countries. For example, European companies with businesses in mainland China, and vice versa, may set up data centres in Hong Kong to store personal and operational data. Hong Kong is in fact one of the most popular data hubs in Asia.
From a distance – regarding GDPR: How does it affect China and Asia and what are your observations on the GDPR 2018 from Hong Kong’s perspective?
Commissioner Wong: We expect that the GDPR will spark new waves of data protection law review exercises in Asia. In Hong Kong, the GDPR provides a timely opportunity for us to review the Personal Data (Privacy) Ordinance, in the light of advanced technological developments such as the Internet of Things, Big Data and Artificial Intelligence. GDPR is inspirational as it introduces new concepts of data protection such as the right to be forgotten, data portability, accountability and profiling, as well as strengthening the sanction regime to increase the enforcement power of data protection authorities.
My office is currently conducting a comparative study on the GDPR and Hong Kong’s Personal Data (Privacy) Ordinance to see how personal data privacy protection could be enhanced further.
We look forward to further clarifications or guidance of major concepts and requirements under the GDPR by the Article 29 Working Party and other data protection authorities of the EU. We believe that careful deliberations in the community and discussions with overseas data protection authorities are conducive to an educated review of our law and practices, in particular whether and to what extent new GDPR concepts should be introduced into the Ordinance.
Stephen Wong joined the Attorney General’s Chambers of the Hong Kong Government as a Crown Counsel in 1986. In 1991, he was seconed to the UN Human Rights Committee based in Geneva. In 1992, he became the Assistant Director of Public Prosecutions. From 1996-2014, Stephen Wong assumed the offices of Deputy Solicitor-General and Secretary of the Hong Kong Law Reform Commission, responsible for human rights, cross-boundary legal affairs, Basic Law, law reform and legal policies. His fields of expertise also include commercial law, arbitration law, intellectual property and criminal law. Stephen Wong is also active in the community work, having been appointed as an adjunct professor of the School of Law, City University of Hong Kong, advocacy examiner of the Faculty of Law, University of Hong Kong; and a director of the China Law Society. Mr. Wong graduated from te University of Hong Kong, also holding an LLM from the London School of Economics. He also pursed management courses at Harvard and Wharton, USA.
Stephen Wong was appointed as the Privacy Commissioner for Personal Data of Hong Kong in August 2015, before which he had been in private practice as a barrister-at-law, specialising in public law.