Exclusive | Why Hong Kong privacy watchdog has all but given up on investigating data breach complaints

Hong Kong’s privacy watchdog has all but stopped formally investigating data breach complaints with the number of cases plunging from more than 100 in 2014 to just one last year, a Post analysis shows. Privacy Commissioner Stephen Wong Kai-yi conceded there had been a change in strategy in regards to investigating data breaches but said that many incidents were unintended and the alleged offenders had been cooperative. He said the Office of the Privacy Commissioner for Personal Data (PCPD) now placed more emphasis on education and publicity as it believed “prevention is better than cure”. “With privacy culture continuing to grow, and in view of the fact that most of the data breaches of the [Personal Data (Privacy)] Ordinance were found to be unintended, the PCPD has therefore shifted from ‘name and shame’ to assisting organisations in containing the possible damage caused,” Wong said in a written response to the Post. Human rights organisations however warned that like other statutory bodies, the privacy watchdog should not forgo its power to launch investigations. Since Wong took office in August 2015, the number of investigations launched by the privacy watchdog has fallen drastically. The Post reported on Monday that the commissioner had rotated staff away from their areas of expertise, including head of enforcement and complaints Daniel Leung Chin-wah being moved to corporate support a year after Wong took up the post. Mass staff exodus at Hong Kong privacy watchdog sparks questions In 2014, under former commissioner Allan Chiang Yam-wang, there were 106 office-initiated investigations. The number fell to 76 in 2015 and there were just four investigations the following year. The one investigation last year concerned the electoral office’s loss of two notebook computers which contained the personal information of 3.7 million voters. The office estimated there would be two investigations this year, according to its budget forecasts. The number of enforcement notices issued to companies to rectify privacy loopholes also dropped greatly – from 90 in 2014 and 67 in 2015 to just six in 2016 and three last year. Under the Personal Data (Privacy) Ordinance, contravening an enforcement notice could result in a maximum fine of HK$50,000 (US$6,410) and two years’ imprisonment. Instead, the watchdog now mostly relied on conducting compliance checks on individuals and companies, while only recommendations would be made over suspected data breaches, according to analysis by the Post. From 2014 to 2017, the office conducted between 219 and 279 compliance checks annually. The office, however, said its workload had not decreased. The Constitutional and Mainland Affairs Bureau, under which the watchdog operates, told lawmakers in April that the office still had to gather facts and provide advice in compliance checks, and resources involved were “broadly comparable” to statutory investigations. Wong said in his response to the Post that the drop in investigations was because most of the data users in question were “now very cooperative and would take immediate remedial actions after data breach incidents have occurred”, which did not warrant investigations. Lawmakers think our enforcement power has to be increased. I see their point Privacy Commissioner Stephen Wong Kai-yi He added that instead of a regulatory framework, regulators should consider incentivising organisations and businesses to observe privacy practices in the context of technological development. After a major hack into a broadband provider’s inactive database last month, Wong said it was a time to review the city’s privacy law and echoed calls to step up his office’s enforcement power. “Lawmakers think our enforcement power has to be increased. I see their point,” he said. Hong Kong’s privacy commissioner to review ageing data protection law Veteran journalist Stephen Loh Chan, who sits on the Privacy Data Advisory Committee and advises the commissioner, said the office had not deviated from its role as a regulator and that he was not aware of there being fewer complaints. “The main role of the PCPD is to handle complaints,” Loh said. “Some of the complaints just couldn’t even be established.” Loh also agreed with Wong that several small and medium enterprises swiftly fixed data breaches once the watchdog gave them advice. “So that does not warrant further investigation.” Facebook warned by Hong Kong privacy watchdog on data security However, a lawmaker and a human rights group warned that the privacy watchdog should make better use of its statutory power and investigate easily overlooked breaches. “An investigation is also a means to warn others not to repeat the mistake,” Democratic Party lawmaker Lam Cheuk-ting said. “So fewer investigations could also mean less public education or a deterrence effect.” Law Yuk-kai, director of Hong Kong Human Rights Monitor, said that although the watchdog operated with limited resources, it had a statutory duty to fully look into potential breaches, especially in areas where there were few complaints or residents dared not to complain. “It has a duty to identity the root cause and rectify it by an investigation,” Law said. “Or else the PCPD will just follow complaints that may come and become reactive, and it cannot improve the privacy protection system.”

Exclusive | Why Hong Kong privacy watchdog has all but given up on investigating data breach complaints

Privacy Commissioner Stephen Wong says office now places more emphasis on education and publicity