Worried after Cathay Pacific’s data breach? Here’s all you need to know about privacy protection in Hong Kong
- In aftermath of revelation that personal details of 9.4 million airline passengers were compromised, a look at what is regulated and how the law is enforced
- Top official says it may take time for rules to get tougher
What does the privacy law regulate?
The Personal Data (Privacy) Ordinance protects the privacy rights of a person in relation to personal data. But non-compliance by a data holder does not automatically constitute a criminal offence. The privacy commissioner first issues an enforcement notice asking the data holder to rectify any breaches, and those who do not do so could be fined up to HK$50,000 (US$6,410) and jailed two years. There is no statutory requirement that data breaches be reported.
How often is the law enforced?
From 2014 to 2017, the office conducted between 219 and 279 compliance checks annually. Privacy Commissioner Stephen Wong Kai-yi told the Post the decline in investigations could be attributed to most of the affected data users being “very cooperative” and taking “immediate remedial actions” after the breaches.
When was the law last updated?
The ordinance was enacted in 1996 and last updated in 2012, but the update only addresses direct marketing.
In 2009, the government carried out a public consultation to review the ordinance. This included a proposal to set up a notification system requiring organisations to notify the privacy commissioner and affected individuals when a breach of data security gives rise to the leakage or loss of personal data.
But officials said most people supported setting up the system on a voluntary basis amid concerns that data users would bear an undue burden.
Cathay Pacific took 7 months to alert passengers to massive data leak. Why?
How do local rules for data breach disclosure compare with those of other countries?
In Canada, it is against federal law not to notify the data regulator or affected persons in the event of a compromise.
Most states in the US require businesses to notify residents of any breaches of personal information. However, the legal consequences for non-compliance are not always clear. California in July passed a law, effective January 1, 2020, stating businesses could be prosecuted for failing to disclose a data breach within 30 days of its happening, effective January 1, 2020.
Mass staff exodus at Hong Kong privacy watchdog sparks questions
Cathay has declined to comment on where the affected customers are based.
Jonathan Kok, a partner at Singapore-based RHTLaw Taylor Wessing, said affected Cathay passengers could file complaints with regulators in their respective countries, who could then demand answers from the airline about the data breach.
What actions will the privacy commission take regarding the latest breach?
The Office of the Privacy Commissioner for Personal Data said it would initiate a compliance check on Cathay’s data breach. Wong on Thursday said he was considering stiffening the rules, but conceded this could take a long time.
He also stressed that organisations amassing and deriving benefits from personal data should be held to a higher ethical standard as well as be respectful and fair as advocated in a report recently put out by his office.