2020 Review & 2021 Outlook of Personal Data & Privacy Laws in Hong Kong
“There is a saying that if you get something for free, you should know that you are the product. It was never more true than in the case of Facebook, Gmail and Youtube… You get free social media services, you get free funny cat videos. In exchange, you give up the most valuable asset you have, which is your personal data.” —Howard Tullman
In the age of technology, personal data is often described as the new oil. With 2020 causing the great migration to the digital realm (when physical interaction of humans turns more deadly than ever), the accumulation of personal data can be seen as both a great tool (companies can more easily and efficiently design marketing strategies speaking directly with the consumer – thus enhancing digital human connection) as well as a great danger (misuse of personal data can be threatening for any victim).
PERSONAL DATA & PRIVACY LAWS LANDSCAPE OF 2020
“Privacy is dead and social media holds the smoking gun” —Pete Cashmore
Throughout the course of 2020, there had been four (4) major developments in Personal Data and Privacy issues in Hong Kong, notably:
Amendments to PDPO: First and foremost, on 20 January 2020, the Hong Kong Government formally proposed amendments to Hong Kong’s privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (“PDOP”).
It has long been criticized that the PDPO is in need of an overhaul (largely left un-updated since its inception) and has been overshadowed by the likes of the European Union’s General Data Protection Regulation (“GDPR”), thereby leaving many to claim that the existing PDPO lacks teeth.
Vote vs Privacy: On 21 May 2020, the Court of Appeal in Junior Police Officers’ Association of the Hong Kong Police Force v Electoral Affairs Commission  HKCA 352 held that allowing an absolute unrestricted public inspection of the final register is disproportionate to the aim of ensuring transparent elections.
In this case, the Courts endeavoured to strike a balance between the right to privacy and the right to vote is of utmost importance in contributing to the preservation of integrity of the electoral system as the register holds substantial personal information. To strike a balance between the two prevailing interest, the Court adopted the approach whereby the Court designated specific categories of data users that may access the vote register. It is hoped this will balance transparent election without substantially interfering with the right to privacy, both constitutionally and statutorily.
Impact of National Security Law: On 30 June 2020, the National Security Law (“NSL”) was implemented in Hong Kong. One of the key triggers to the proposal to amend the PDPO is the increasing number of privacy complaints related to doxing and cyberbullying. NSL has affected the issue of privacy in two ways.
Firstly, it is anticipated that proposal to amend the PDPO will be expedited as opponents trying to advance arguments of press freedoms and counterbalances will largely be limited. Second, NSL has been theorized to be used to indirectly enforce against doxing activities against public officers (the foundation for the calls to update the PDPO).
First Enforcement: On 3 November 2020, Hong Kong’s very first conviction under s.64(2) PDPO was made. Many has seen this to be a turning point of privacy laws in Hong Kong as in the past, the PDPO has, to a large extent, been seen as toothless legislation.
It is therefore anticipated that the first enforcement case under the PDPO will lead to more proactive legislation even before the PDPO is to be formally amended.
PERSONAL DATA & PRIVACY LAWS OUTLOOK FOR 2021
All in all, the developments of personal data and privacy actions of 2020 is expected to be the foundation of further developments in 2021. The following are a few projected trends:
As mentioned, the issue of doxing has become a great public concern in recent months. Introduction of new provisions to combat doxing is likely to continue and we will see both legislative action as well as judicial adjudication on such subject matters in the coming year.
Hong Kong is also expected to introduce mandatory data breach notification, which has been a voluntary process in the past. Such change of position, once implemented, is likely to bring a heightened sense of IT internal control amongst organization, a trend that can be observed in Europe since the passage of the GDPR.
2021 is also expecting the introduction of administrative fine regime to empower Office of the Privacy Commissioner for Personal Data (“PCPD”) to carry out criminal investigation and institute prosecution. This development is again implemented in order to address the previous criticism that the PDPO was largely toothless.
2020 has seen an unprecedented increase in fraud cases. 20201 is therefore expecting to see great strides taken to address this vulnerability (which has already claimed scores of victims) with the collaboration with the Hong Kong Police and Hong Kong Monetary Authority on risk of unauthorized credit application through use of stolen personal data.
Lastly, 2021 will also assess impact of personal data privacy of various existing or upcoming anti-pandemic measures (e.g. introduction of Vaccine passport - an act which will undoubtedly see an unprecedented level of cross-border patient data exchange) and issues of how patient data are to be used, stored (and for how long) and transmitted is likely to be seen on the rise as issues surface post-implementation.
All in all, the outbreak of COVID leading to mass migration of humanity online has laid the foundation of transformation of personal data and privacy laws for 2021. The following is a quick sum up of trends to keep a watch for:
Rise of privacy law – legislation and adjudication is likely to lead the charge for introduction of new laws to improve privacy of citizens;
Increased user awareness – the need to focus on cyber hygiene is likely to take a forefront as more users’ attention is drawn to the impact of their personal data; and
Automation – with mass developments of privacy laws all over the globe, we are seeing tech enterprises rushing in to cater to the new market. In order to keep businesses viable amidst of evolving privacy law changes, the above trends all points to the need for a streamline solution (e.g. automation). Requests, filters, consent and preference settings for e-platforms will have to address privacy issues as well.