Reform of Hong Kong’s Privacy Ordinance After 15 Years
Privacy Laws & Business International Report, Vol. 1, Issue 113, pp. 15-17, October 2011
4 Pages Posted: 16 Dec 2011 Last revised: 7 Feb 2012
Date Written: November 1, 2011
Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995. It was the first comprehensive data privacy statute in Asia. Although the PDPO was ahead of its time when it was enacted, it is has not been amended significantly since then. As a result, it has not kept pace with rising public expectations in relation to personal data privacy. In an attempt to meet those expectations, the Hong Kong Government published the Personal Data (Privacy) (Amendment) Bill in July 2011, following a two year consultative process, to overhaul the PDPO. The Bill is intended to be introduced into the Legislative Council in its 2011/2012 session. This article is a critique of the Bill.
The Bill does not include the extensive strengthening advocated by the Privacy Commissioner, but does propose modest improvements. Companies will always have to give individuals notice that they intend to sell their personal data, or even use it for their own marketing, but will still be allowed to do so unless the individual exercises an ‘opt out’ right. Breaches can make businesses liable to a fine of up to HK$1 million (US$128,500), an amount that is potentially crippling for a small business. There are considerable anomalies in these provisions. It seems that a blanket ‘Don’t ever sell my personal data’ notice would be possible. This raises the prospect that an inventive ‘Do not sell/market’ list broker could offer a service to send mass written notifications to major Hong Kong organisations, relieving individual data subjects of the burden of multiple notifications, thus turning direct marketing completely on its head. The drafter may also have overlooked the fact that public bodies controlling public registers sell personal data by providing copies of the information in their registers for a fee and are generally obliged to do so by the legislation governing the registers. The Bill would, on its face, apply to prevent them so doing this unless they complied with its notification and objection provisions.
The Bill will improve the current weak enforcement provisions. The Commissioner will now be able to order organisations to remedy contraventions of the Ordinance. Compensation proceedings will now be moved to the District Court, where the usual costs order is ‘no order as to costs’, which may reduce or remove the deterrent effect of the risk of expensive court costs. The Commissioner will also be empowered to assist litigants. For the first time, the Commissioner will also be empowered to assist parties to reach a settlement or compromise. It is possible that the Bill may be strengthened by the legislature (LegCo), because of the extent of public disquiet over the data breach scandals involving police and hospitals, and data sales scandals involving data from the Octopus transit card, banks and telcos.
Suggested Citation: Suggested Citation