Hong Kong Unit 4C Enforcement II Flashcards
Enforcement - What are the enforcement powers of the Hong Kong Commissioner? What type of authority is HK PCPD vs SG PDPC?
The Privacy Commissioner can investigate complaints of breaches of the PDPO, as well as initiate investigations. The approach to enforcement is generally administrative and consultative in nature
It has neither criminal investigation or prosecution powers nor the ability to award compensation to data subjects. Criminal investigations are carried out by the police and prosecutions must be brought by the Department of Justice before the Hong Kong criminal courts.
At the conclusion of a Investigation,the Commissioner can issue an enforcement notice against the “data user” (that is, the business controlling the data processing), requiring it to take remedial action.
HK PCPD is an independent statutory authority, whereas SG PDPC is a government authority.
What happens if a data user refuses to comply with an enforcement notice? What are the penalties?
If a data user breaches an enforcement notice issued by the Privacy Commissioner, it will be liable to a fine of HK$50,000 (on first conviction) or HK$100,000 (on a subsequent conviction) and imprisonment for two years.
Scope for criminal enforcement was broadened and the penalties of non- compliance were increased in the (Amendment) Ordinance 2012
The Commissioner has the right to publish the results of any investigation, name the organisation involved and give details of the breaches committed (reputational risk for organisations).
What are the penalties for if data user contravene direct marketing requirements?
If the data user provides data for gain- fine of up to HK$1,000,000 and imprisonment for up to five years.
If the data user provides data otherwise than for gain– fine of up to HK$500,000 and imprisonment for up to three years.
A data user may receive data from another data user and receiving notice from that other data user to stop using that data in direct marketing. If it fails to stop so using the data, such failure constitutes an offence punishable by a fine of up to HK$500,000 and imprisonment for up to three years.
What are the new requirements on Doxxing?
- Doxxing has been rampant since mid-2019– 967 doxxing cases in 2020-2021
- Since 29 September 2021: Disclosing personal data without consent, with an intent to cause psychological harm, is a criminal offence punishable by up to a HK$1 million fine and five years in jail.
- Privacy Commissioner can launch criminal investigations without referring the case to the police and can access an electronic device without a warrant under “urgent circumstances,” though entering and searching premises still requires a warrant.
- The Privacy Commissioner may also press charges against a doxxing suspect without relying on the Department of Justice to institute a prosecution.
- The rules have extra-territorial effect: Privacy Commissioner may serve a notice to internet service providers – both based in Hong Kong and elsewhere – to take down information deemed as doxxing within a designated timeframe.
Compensation - Can data subjects sue data user for compensation?
Civil sanctions:
A data subject who suffers a loss due to a breach of the Ordinance is entitled to seek compensation from the data user through civil action, including for emotional distress.
The Commissioner may assist a data subject in taking action by providing legal advice or arranging or subsidising legal representation if the Commissioner considers the action to involve an important question of principle.
What are the requirements in the event of a data breach? What are PCPD recommendations in handling a data breach?
Handling data breaches:
- A data user must take remedial actions to lessen the harm or damage that may be caused to the data subjects in a data breach.
- The Commissioner recommends the following action plan:
Step 1: Immediately gather essential information relating to the breach
Step 2: Contact the interested parties and adopt measures to contain the breach
Step 3: Assess the risk of harm
Step 4: Consider giving a data breach notification
Notification of data breaches:
- PDPO does not require dat a users to notify affected data subjects, the Commissioner or any other person of data security breaches.
- However, the Commissioner strongly encourages data users to make notification when a real risk of harm is reasonably foreseeable if the data user does not make a notification.
Octopus rewards case. What did Octopus do to breach PDPO?
Summary:
- The Privacy Commissioner took enforcement action against Octopus Rewards Ltd in 2010 as result of its reward programme.
- The Octopus card is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets purposes.
- Card holders must register with Octopus in order to take advantage of the Rewards Program. They were requested to supply a broad range of personal information on the registration form (some of which was required for the application to proceed).
- The Privacy Commissioner found that Octopus had breached two of the six Data Protection Principles set out in the Ordinance.
- The Octopus card is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets purposes.
- Card holders must register with Octopus in order to take advantage of the Rewards Program. They were requested to supply a broad range of personal information on the registration form (some of which was required for the application to proceed).
- The Privacy Commissioner found that Octopus had breached two of the six Data Protection Principles set out in the Ordinance.
Breach of DPP 3 - Data Use Principle
- Octopus provided the personal information of almost two million cardholders (without their consent) to six business partners for direct-marketing over nearly eight years. This earned Octopus HK$44 million in revenue.
- The sale of personal data is not prohibited by the Ordinance. It can be a legitimate purpose for which data is collected. In the case of Octopus, a sale of personal data was not made clear to data subject at the time their personal data was collected by Octopus.
Breach of DPP 1 – Collection Principle -
- Octopus collected HKID numbers, passport numbers / birth certificate numbers / birthdates from subscribers of Octopus Rewards – for the purpose of customer authentication.
- An Octopus card could store reward dollars up to a maximum of only HK$1,000. So, the Privacy Commissioner found that Octopus had failed to justify their claim that collecting HKID numbers was necessary to safeguard against damage and loss to it.
- A customer could be properly identified by their name, home address and telephone number held by Octopus: collecting their HKID was not justified.
- Moreover, the Personal Information Collection Statement (“PICS”) was printed in unreasonably small font
- This led to proposal for reforms which resulted in the PDPO amendment relating to stricter direct marketing rules in the collection and use of personal data
- The Personal Information Collection Statement (“PICS”) issued by Octopus was printed in unreasonably small font.
- The Octopus case led to proposals for reforms, which resulted in the PDPO amendments relating to stricter direct marketing rules about the collection and use of personal data.
If either data subject or data user was unhappy with HK Commissioner’s decision, who can they appeal to? What can they appeal?
A complainant may appeal to the Administrative Appeals Board (AAB), a quasi-judicial statutory body, against a decision of the Privacy Commissioner not to issue an enforcement notice following an investigation into a complaint.
A data subject can appeal to the AAB against the Privacy Commissioner’s decision:
- not to investigate the data subject’s complaint or
- to discontinue an investigation that has commenced
A data user can appeal to the AAB against the Privacy Commissioner’s decision to issue an enforcement notice.
There is no appeal from the decision of the AAB to a court, but aggrieved parties can seek judicial review of the AAB decision.
Is there extraterritorial jurisdiction for PDPO? What is the PCPD’s position in Google case? Why?
No right to be forgotten / no extra-territorial jurisdiction
- X was arrested in 2014, as reported in several news articles.
- X requested Google LLC to delist the links to these articles.
- Google refused and X complained to the Privacy Commissioner.
- In 2019, the Privacy Commissioner dismissed the complaint – grounds:
(a) Google LLC is a US entity and all operations of the search engine take place outside of Hong Kong, so the Privacy Commissioner has no jurisdiction and
(b) balance should, in any event, lie in favour of freedom of expression and right to information.
- X appealed to the AAB against the Privacy Commissioner’s decision.
- In August 2020 the AAB dismissed the appeal and upheld the Commissioner’s decision and in February 2021 the AAB provided further guidance:
(a) Google LLC is not subject to the PDPO even though the data collected is about HK
citizens (i.e. there is no extra-territorial jurisdiction) and
(b) there is no right to be forgotten in HK.
What are the 2 consultative advisory committees? What do they each do?
(1) The Personal Data (Privacy) Advisory Committee (PDPAC):
- was established pursuant to section 11 of the PDPO to advise the Privacy Commissioner on matters relating to personal data privacy protection and the operation of the PDPO;
- receives regular reports on the operational performance of the PCPD and advises the Privacy Commissioner on the handling of major issues relating to the work of the PCPD;
- the Privacy Commissioner is the chairperson of the PDPAC; and
- members of the PDPAC are appointed by the Secretary for Constitutional and Mainland Affairs.
(2) Standing Committee on Technological Developments (SCTD)
- was established to assist the Privacy Commissioner to better perform the statutory functions under section 8(1)(f) of the PDPO, namely researching into and monitoring technological developments that may affect personal data privacy;
- also advises on the drafting of codes of practices, advisories and guidance notes on privacy issues arising therefrom; and
- is co-chaired by the Privacy Commissioner and the Deputy Privacy Commissioner.
In HK - How should consent be obtained? Is there a right to withdrawal of consent? Must consent be obtained from employees? Is online consent permissible?
A data subject can make an opt-out request to a data user at anytime, requiring it to:
- stop using their personal data in direct marketing
- stop transferring their personal data to any other person for use in direct marketing
- notify the transferee(s) to whom the organisation has transferred their personal data to stop using it in direct marketing
An opt-out request automatically supersedes any previous consent given by the data subject.
If an opt-out request is done verbally, the data subject should follow up with a written request as cogent proof of the opt-out request made under the PDPO.
When the data user receives an opt-out request from a data subject (after having verified their identity), it should:
- stop using the data subject’s - personal data in direct marketing
- stop transferring the personal data to another person for use in direct marketing
- notify the transferee(s) in writing to stop using the personal data in direct marketing
When the transferee receives the written notification, it must cease to use the personal data in accordance with the notification.
The data user is not allowed to charge a fee for complying with the opt-out request.
The data user should allow the data subject to opt-in for new purposes in future upon receiving a fresh consent from them.
What is an enforcement notice in HK? When is it a criminal offence? What is the penalty of breaching?
The Privacy Commissioner can issue an enforcement notice after finding that a data user ‘is contravening or has contravened’ a requirement of the PDPO (including a DPP).
The notice must specify steps needed to remedy the contravention,‘including ceasing any act or practice’ and to ‘prevent any recurrence’.
A breach of one of the principles is not by itself a criminal offence, but a breach of any other requirement in the PDPO, such as contravention of an enforcement notice, is an offence.
So, the Commissioner can enforce the principles by threat criminal sanction implied in an enforcement notice.
An aggrieved individual can take up a civil suit against the data user for compensation for damage suffered whether or not an enforcement notice has been issued.
Penalties:
- Contravention of an enforcement notice remains an offence– maximum fine of HK$50,000.
- If the offence continues, there is a daily penalty of HK$1,000.
- On a second conviction, these fines escalate to a maximum of HK$100,000 and a daily penalty of HK$2,000.
- If a data user has complied with an enforcement notice and subsequently intentionally does the same act or commits the same omission, he is liable to a HK$50,000 fine and imprisonment of up to two years.
Is the Doctrine of Privity abolished in HK?
Yes, the Contracts (Rights of Third Parties) Ordinance came into operation on 1 January 2016 and abolished the doctrine of privity of contract in Hong Kong.
What is Section 64 and 66 of the PDPO Amendment 2021 about? What are the penalties?
Effective 8 Oct 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) has introduced a targeted and robust regime to enable the Privacy Commissioner and the PCPD, to combat doxxing behaviour in Hong Kong more effectively.
Main objectives of the Amendment Ordinance are to amend the PDPO to
(a) create a two-tier offence for disclosing personal data without consent;
(b) empower the Privacy Commissioner to carry out criminal investigations and institute prosecutions for doxxing-related offences (covering any contravention of section 64(1) or (3A), 66E(1) or (5), 66I(1) or 66O(1)) triable summarily in the Magistrates’ Courts (new section 64C); and
(c) confer on the Privacy Commissioner the statutory power to issue cessation notices to request the removal of doxxing messages ((new section 66K(1)).
Sections 64(3A)and 64(3B):
- First Tier
- Prosecution means: Summary offence
- Threshold for conviction: Disclosing personal data without the data subject’s consent; and with intent to cause specified harm or being reckless as to whether specified harm would be caused
- Maximum Penalty: Fine of $100,000 Imprisonment for 2 years
Sections 64(3C) and 64(3D):
- Second Tier
- Prosecution means: Indictable Offence
- Threshold for conviction: Disclosing personal data without the data subject’s consent; With intent to cause specified harm or being reckless as to whether specified harm would be caused; and specified harm has been caused to the data subject or his or her family member
- Maximum Penalty: Fine of $1,000,000 Imprisonment for 5 years