Hong Kong's data protection review is inadequate

Out-Law Analysis | 04 Nov 2009 | 9:20 am | 4 min. read

OPINION: Hong Kong's data protection laws should be brought into line with those of the EU and other countries, according to Hong Kong's Government and privacy office. Unfortunately they are refusing to take the simple steps necessary to achieve this.

Aligning Hong Kong's laws with those of countries that protect data is important. Personal data is the lifeblood of modern commerce and its flow should not be restricted as it is today by an outdated regime.

For the past two years, Hong Kong's data protection regime has been under review and that review will close at the end of this month. A consultation paper was published in August that indicates the likely outcome.

That paper came from the Constitutional and Mainland Affairs Bureau, the body that oversees Hong Kong law and that acts as liaison with the Chinese Government. It contains various suggestions for reform, but an important point has been missed and for reasons that make little sense.

The omission involves a section of the region's privacy law that has never been brought into force, despite sitting on the statute books for the past 14 years. It is section 33 of the Personal Data (Privacy) Ordinance, or PDPO.

Section 33 restricts the transfer of personal data from Hong Kong to any country that lacks a data protection regime. China has no such regime. So at present, there is protection for data while it stays in Hong Kong; but there is nothing to prevent its transfer to China. And if it leaks to all and sundry in China, there is unlikely to be an effective remedy.

The section itself is let down by subjective wording, but that is easily remedied. Basically, section 33 stops you sending data to a country that lacks a similar data protection regime – unless you have a reasonable belief that it has such a regime. The concession to belief is unnecessary and should be ditched.

Subject to that simple tweak, section 33 should be brought into force. The Government's failure to do so leaves a hazardous loophole in Hong Kong's law.

It is easily missed. If you studied Hong Kong's statute books, you would be forgiven for not spotting that section 33 is not in force. Perhaps that is why some people incorrectly characterise Hong Kong as a nation that has a regime as strong as the European Union's.

The difference has not been missed by the European Commission, though. It keeps a list of countries whose laws are deemed 'adequate'. It is a short list and Hong Kong is not on it. As a consequence, personal data can be transferred from EU organisations to Hong Kong, but it is a laborious process. Companies generally have to use 'model clauses', contractual terms that govern the protection of personal data. These are burdensome and a finding of adequacy by the European Commission would circumvent any need for them.

Achieving a finding of adequacy is not the only argument for amending and effecting section 33. It would give individuals greater protection. It would also give organisations more confidence in transferring data to Hong Kong. Any subsequent, unauthorised transfer to China, where the data has no protection, will become a breach of Hong Kong law, not just a breach of contract.

A colleague and I attended a public briefing on the consultation paper in October at which representatives from CMAB and the office of the Privacy Commissioner said they want that qualification. So we asked the panel why the implementation of section 33 was not among their recommendations. After all, it doesn't matter what other reforms are made: absent any control on the flow of data into China, Europe surely will not put Hong Kong on its white list.

The answers were exasperating.

CMAB and the Privacy Commissioner said they are focusing on amending the PDPO, not enacting an already-written provision. That strikes me as a silly argument. If your car has no engine, changing its tyres won't make it go.

They also said that "Hong Kong is not ready" for section 33. The business and commercial impact of enacting it has to be assessed before it is made effective, they said, because it might place an unnecessary burden on Hong Kong commerce.

The "Hong Kong is not ready" argument will be irritatingly familiar to anyone who lives in Hong Kong (it is the same reason that the Government has given for denying universal suffrage). It is a flimsy argument to use against section 33.

There has been plenty of time to assess the impact of section 33, and not only because it has been on the statute books since 1995. Equivalent provisions have long been in force in Europe, Australia, Canada and elsewhere, without business grinding to a halt in these countries.

The Hong Kong business community recognises the problem.

"I am concerned that the issue of trans-border data flows has not been addressed in this review, despite assurances from the Government that this issue is being actively considered," said Ian Christofis from the Professional Information Security Association. "I would like to see an open public consultation on trans-border data flow privacy, including the pros and cons of enacting Section 33 of the Ordinance."

To bring Hong Kong in line with other privacy-protecting nations, the Hong Kong Government needs to amend section 33 and bring it into force. That is how to get data flowing freely and securely to and from Hong Kong. Without these steps, the Government simply will not achieve what it says it wants from its reforms.

By Simon Sorockyj, a Senior Associate in the Hong Kong office of Pinsent Masons, the law firm behind OUT-LAW.COM. The views expressed are the author's own and do not necessarily represent the views of Pinsent Masons.