Out-Law / Your Daily Need-To-Know

Hong Kong data protection reforms will impact data transfers and force rethink on consent, says expert

Out-Law Analysis | 10 Jun 2016 | 10:55 am | 2 min. read

FOCUS: Forthcoming changes to data protection laws in Hong Kong are likely to result in tighter controls over the transfer of data outside of the jurisdiction, force businesses to rethink how they legitimise their use of personal data, and stiffen penalties for data breaches.

Hong Kong's privacy commissioner Stephen Wong Kai-yi said recently that changes to EU data protection laws and advancements in technology will prompt a review of Hong Kong's own data protection regime over the next 18 months.

Although Hong Kong's data protection laws are among the most sophisticated in Asia, they are now approximately 20 years old and require udating.

One of the changes businesses can expect to stem from the review is a recalibration of existing rules on data transfers. It is already written into Hong Kong law that personal data cannot be transferred out of the jurisdiction unless there is adequate protection in the destination location. However, those provisions have never been brought into force and currently lie dormant, meaning there are no restrictions on data transfers out of Hong Kong.

This position contrasts sharply with the stringent controls businesses operating in the EU must put in place when sending personal data to countries outside of the trading bloc. The EU has designated some countries as providing adequate data protection, meaning personal data can flow easily to there from within the EU. A series of tools and frameworks, including model contract clauses and binding corporate rules, can be used to transfer of personal data to so-called 'third' countries.

We can expect Hong Kong law makers to adopt a similar system to the EU on data transfers. They are likely to designate locations around the world where they are happy for personal data to be transferred to, and require businesses to put in place technical, organisational and contractual measures to safeguard personal data when moved outside of Hong Kong. Designating territories as safe harbours for data protection would, however, raise difficult questions as to the status that should be conferred on China in relation to the adequacy of its data protection framework.

Another change that the review could prompt is reform to the consent regime.

At the moment businesses wishing to process personal data can do so until people opt out their data from being used for the purpose the businesses are pursuing. This is a business-friendly arrangement as it assumes individuals consent to their data being used and requires their active interference to put a halt to those activities.

However, it is likely that an opt-in consent regime will be favoured by law makers under a reformed data protection framework. This would mean businesses would need to ensure that data subjects have actively agreed to their data being used.

Changing from an opt-out to an opt-in consent regime would create an administrative headache for companies. It is likely that businesses operating in line with existing Hong Kong rules would need to update all their privacy policies to account for the change. Businesses operating online might be encouraged to use consent mechanisms like just-in-time notifications to make customers aware of their intentions to collect data and to seek consent for that to happen through tick-boxes.

Penalties for data breaches and loss of data are likely to be increased substantially under a reformed data protection framework.

At the moment companies that fall foul of data protection rules in Hong Kong can expect to be fined an amount equivalent to approximately £10,000 to 20,000. This level of penalty does not serve as a deterrent.

It is likely that Hong Kong law makers would look to the stiff potential penalties introduced under the EU's new General Data Protection Regulation (GDPR) as a model to implement in Hong Kong too. Under the GDPR companies can be fined up to €20 million or 4% of their global annual turnover, whichever is the greater, where they are responsible for serious breaches of the Regulation.

A model that links data protection penalties to companies' annual turnover would be much more punitive than the existing enforcement regime and would represent a positive response to the public criticism that has arisen over data security in Hong Kong in light of recent high-profile data breaches.

Paul Haswell is a Hong Kong-based data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.