Cathay Pacific

Worried after Cathay Pacific’s data breach? Here’s all you need to know about privacy protection in Hong Kong

  • In aftermath of revelation that personal details of 9.4 million airline passengers were compromised, a look at what is regulated and how the law is enforced
  • Top official says it may take time for rules to get tougher
PUBLISHED : Friday, 26 October, 2018, 8:03am
UPDATED : Friday, 26 October, 2018, 9:47am

Cathay Pacific Airways sent ripples of alarm across Hong Kong on Wednesday night when it revealed that the data of 9.4 million passengers was compromised in March. The belated disclosure has raised concerns about how personal data is safeguarded in the city. Here’s all you need to know about privacy protection in Hong Kong.

What does the privacy law regulate?

The Personal Data (Privacy) Ordinance protects the privacy rights of a person in relation to personal data. But non-compliance by a data holder does not automatically constitute a criminal offence. The privacy commissioner first issues an enforcement notice asking the data holder to rectify any breaches, and those who do not do so could be fined up to HK$50,000 (US$6,410) and jailed two years. There is no statutory requirement that data breaches be reported.

How often is the law enforced?

The Post reported earlier that the number of formal investigations launched by the privacy commissioner for personal data has dropped from more than 100 in 2014 to just one last year. Instead, it has mostly turned its attention to checking individuals and companies for compliance.

From 2014 to 2017, the office conducted between 219 and 279 compliance checks annually. Privacy Commissioner Stephen Wong Kai-yi told the Post the decline in investigations could be attributed to most of the affected data users being “very cooperative” and taking “immediate remedial actions” after the breaches.

When was the law last updated?

The ordinance was enacted in 1996 and last updated in 2012, but the update only addresses direct marketing.

In 2009, the government carried out a public consultation to review the ordinance. This included a proposal to set up a notification system requiring organisations to notify the privacy commissioner and affected individuals when a breach of data security gives rise to the leakage or loss of personal data.

But officials said most people supported setting up the system on a voluntary basis amid concerns that data users would bear an undue burden.

Cathay Pacific took 7 months to alert passengers to massive data leak. Why?

In April this year, Wong said he would review the city’s 22-year-old data protection law following a series of “major data leaks” locally. More than half a million people were affected in an incident relating to an inactive database owned by Hong Kong Broadband Network. The database held information on 380,000 customers, and it was ensnared in a number of cyberattacks targeting travel agencies involving some 220,000 clients.

How do local rules for data breach disclosure compare with those of other countries?

The European Union has toughened its data protection regulation since May 25. Under the new General Data Protection Regulation, companies must report personal data breaches within 72 hours or face a fine of 4 per cent of their annual global revenue.

But lawyers have said the stricter law would not be applicable to the Cathay Pacific breach detected in March, as the EU rules are not retroactive. However, some EU nations such as France, Germany and the Netherlands punish a failure or even a delay in flagging a data breach.

In Canada, it is against federal law not to notify the data regulator or affected persons in the event of a compromise.

Most states in the US require businesses to notify residents of any breaches of personal information. However, the legal consequences for non-compliance are not always clear. California in July passed a law, effective January 1, 2020, stating businesses could be prosecuted for failing to disclose a data breach within 30 days of its happening, effective January 1, 2020.

Mass staff exodus at Hong Kong privacy watchdog sparks questions 

Cathay has declined to comment on where the affected customers are based.

Jonathan Kok, a partner at Singapore-based RHTLaw Taylor Wessing, said affected Cathay passengers could file complaints with regulators in their respective countries, who could then demand answers from the airline about the data breach.

What actions will the privacy commission take regarding the latest breach?

The Office of the Privacy Commissioner for Personal Data said it would initiate a compliance check on Cathay’s data breach. Wong on Thursday said he was considering stiffening the rules, but conceded this could take a long time.

He also stressed that organisations amassing and deriving benefits from personal data should be held to a higher ethical standard as well as be respectful and fair as advocated in a report recently put out by his office.