Law must be strengthened after Cathay Pacific data scandal
- The former and current heads of the privacy watchdog have clashed over the pace of the probe into the carrier, but there is need for change and to punish those responsible
There can be no dispute that Cathay Pacific has done a bad job in protecting customers’ personal data. But just as the 9.4 million victims await impatiently for the right punishment to be meted out for the city’s worst data leak, the former and current heads of the privacy commission have locked horns over the pace of investigation. Regrettable as it is, the feud does not change public expectation of a speedy and thorough probe, followed by sanctions that are commensurate with the severity of the incident.
Questions have been raised whether the watchdog should have immediately launched a formal probe instead of a compliance check, the latter of which does not involve criminal sanctions. In response to the carrier’s seven-month delay in disclosing the data leak, former privacy chief Allan Chiang Yam-wang launched a rare attack against his successor Stephen Wong Kai-yi for what he called lax action in pursuing the case. Chiang said compliance checks involved little more than a review of a company’s data security measures with some recommendations. Announcing a compliance investigation on Monday, Wong said any suggestion that the commission would not carry out such a detailed probe at an early stage was “ill-informed, misleading and irresponsible”.
The war of words does nothing for the image and credibility of the watchdog, which is known for having weak enforcement powers. Whatever the nature of the probe, the principle is the same. It has to be conducted in an expeditious and comprehensive manner. The watchdog has set the right tone, saying there are grounds to believe there may have been a contravention of a requirement under the law. The probe will not be complete without improvement in data protection and punishment for those responsible.
The Cathay Pacific fiasco has exposed inadequacies in the existing personal data protection regime. A glaring omission is the lack of a statutory requirement for data users to promptly report breaches. The former privacy chief is right in saying that the city regime has degenerated from a pioneer to one that lags far behind. The incident underlines not only the importance for companies to better protect customers’ data, but also the urgent need to strengthen the law.