Cathay Pacific data breach: investigation should follow only after due process of compliance checks is complete
- A compliance check preceding a compliance investigation has nothing to do with the stringency of determining a contravention
- A check can provide the organisation with an opportunity to be heard, in line with procedural fairness
In response to the views expressed in the RTHK programme, Letter to Hong Kong, on November 3, and the inaccurate and misleading information arising from some media reports, I hereby provide more information to clear any misunderstanding that may have been caused.
Over the Cathay Pacific data breach incident, upon receipt of the relevant notification, the privacy commissioner for personal data, Hong Kong, announced the initiation of a compliance check in accordance with the Personal Data (Privacy) Ordinance. It would be inappropriate for us to disclose the details of Cathay Pacific’s notification.
Under the ordinance, the privacy commissioner may carry out a compliance investigation where he has reasonable grounds to believe that there may be a contravention. It has been an established policy that, upon receipt of a data breach notification, a compliance check will be initiated to find out more information. A compliance check has always been part and parcel of the process of determining if there exist reasonable grounds to believe that there may be a contravention. And, if so, a compliance investigation will ensue.
I must stress that a compliance check preceding a compliance investigation has nothing to do with the stringency of determining a contravention. Times have changed. Data breaches involving hacking have become more common. Reasonably practicable steps on the part of the data user to safeguard data security may absolve the data user of responsibility. A check can actually provide the organisation with an opportunity to be heard, in line with procedural fairness.
Watch: Data breach a blow to Cathay Pacific’s efforts to return to profitability
It is simply incorrect to suggest that, after a compliance check, the process of compliance investigation will automatically stop. The suggestion that the Office of the Privacy Commissioner for Personal Data (PCPD) would not carry out a detailed compliance investigation of the reported incident at the earlier stage is ill-informed and misleading. Any suggestion that compliance checks are “pointless” or “a waste of public resources” is misconceived.
Fair enforcement and process propriety are what we strive for. The regulator must guard against trial by reported information, and unconsidered intervention over an outcry.
As a fair regulator, the PCPD does not regulate for figures but results. It is regrettable that only one case of “investigation” and “report” was selected and highlighted as the basis for ungrounded criticism, as there are other compliance investigations arising out of complaints received.
Pursuant to section 48(2) of the ordinance, compliance investigation reports will only be published where it is in the public interest to do so. In other words, investigation reports are published on a justification basis. It is not right to say that compliance investigations would automatically and necessarily lead to publication of reports. Further, the PCPD does issue detailed press statements to inform the public of the findings upon completion of significant compliance checks or compliance investigations.
On the need for revision of the ordinance, it should be noted that any suggestions to reform the law should be considered in light of the interest of all stakeholders; the legitimate purpose; the pressing need; proportionality, the local circumstances and the relevant global development, with a view to striking a proper balance between data privacy protection and other rights, including free flow of information, and the freedom of expression and of the press.
The PCPD has an obligation to review the ordinance from time to time. Our considered observations and recommendations on the areas of the law that warrant amendments will be made known to the government and the public within months.
Tony Lam, acting privacy commissioner for personal data, Hong Kong