Why Cathay Pacific data breach warranted an investigation from the outset, not a compliance check
- While compliance checks are useful for relatively minor breaches, they need not precede an investigation in serious cases, former privacy commissioner says
- Hong Kong’s privacy watchdog should make public the outcome of more compliance checks
I refer to the letter from the acting privacy commissioner published on November 8 (“It is wrong to say compliance checks are ‘pointless’ when it comes to claims of data leaks”). The distinction between an investigation and a compliance check is important. The former comprises enforcement activities regulated by the Personal Data (Privacy) Ordinance.
Organisations’ failure to cooperate with the commissioner during the investigation, including the giving of false or misleading information, is a criminal offence. Organisations found to have contravened the ordinance are subject to an enforcement notice, issued by the commissioner to remedy the contravention, non-compliance with which is also an offence. The ordinance was reinforced in 2012 to enhance the effectiveness of these enforcement measures.
By contrast, compliance checks are administrative arrangements lacking the above sanctioning powers. Organisations are not criminally liable for misleading statements. The commissioner would not determine whether there was a contravention of the ordinance and the case would normally be closed if the organisation involved promised to follow the commissioner’s advice for improvement.
Compliance checks serve two purposes. First, due to resource constraints, the commissioner has to be “selective in order to be effective”. Hence, he undertakes investigations of serious breaches and resorts to compliance checks in relatively minor cases.
Secondly, where serious breaches are brought to light by third-party sources, it is fair to ascertain facts from the organisations concerned through compliance checks before deciding whether to initiate an investigation.
The Cathay Pacific data breach is clearly a serious incident. The company publicly announced a data breach which involved unauthorised access to their customer database and necessitated strengthening of their information technology security measures. This should suffice in passing the legal threshold to initiate an investigation, namely, that the incident “may be” a contravention.
To impose a compliance check as a prerequisite was a business-friendly approach, but it may not meet the aspirations of the individuals whose privacy right the commissioner is statutorily required to protect. There were notable examples from 2010 to 2015 in which self-initiated investigations were not preceded by compliance checks.
More importantly, it exemplifies the current enforcement approach adopted, as indicated by the drastic drop in the number of self-initiated investigations and enforcement notices issued (from 106 and 90 respectively in 2014 to one and three in 2017). There is also a transparency issue. Based on a review of the commissioner’s media releases, the outcome of only three out of 14 compliance checks (the Cathay incident excluded) initiated by the incumbent commissioner subsequent to public outcry have been reported so far.
Allan Chiang, former Privacy Commissioner for Personal Data (2010-2015)