GDPR (the General Data Protection Regulation) represents the single biggest piece of data privacy legislation ever enacted, with far-reaching consequences for not only EU member states, but jurisdictions across the world. However, is it really that unique? Or have certain Hong Kong regulations already dealt with some of the key issues several years ago?
In the EU and the UK, GDPR has been an organisational wide focus this year for most businesses that handle customer data. But during our many visits to Hong Kong, we spoke to a large number of financial institutions about the regulation, and the most common response was, “We don’t care about GDPR. We are not in Europe.”
However, when speaking of Hong Kong’s local laws on data protection – contained in the Personal Data (Privacy) Ordinance, or “PDPO” – there is always strong interest in the topic. But how similar (or different) is the PDPO to GDPR? Are we more concerned about the acronym in front of the regulation? Or the requirements behind it?
GDPR requires users to notify the data protection authority in the event of a breach, and to notify the data subjects themselves under high-risk breaches. The PDPO does recommend breach notifications to the Privacy Commissioner and to data subjects, but this is not a mandatory requirement . Therefore, the regulations are similar in this regard, with the exception of GDPR “requiring” and the PDPO “recommending” breach notifications.
Data Processor Obligations:
The data processors’ obligations under GDPR include maintaining processing records, ensuring secure processing, only retaining the data for as long as necessary and promptly reporting breaches. This may be accomplished either via a technical solution, or a contractual agreement. Under GDPR, if a data processor loses data, then the data controller who provided them with the data may also be liable for the breach.
In Hong Kong, data processors are not directly regulated and there is no formal recognition of certification or a privacy seal mechanism for demonstrating compliance . However, the guidance indicates that, when engaging a data processor, there should be a contractual or other means to prevent data from being kept longer than necessary to avoid unauthorised access, processing or erasure. In essence, the data processor is required to take the same security measures around the data that the data owner would have to take if they were processing the data themselves.
Accountability of Businesses:
In terms of the impact on businesses, the two data privacy regimes vary in the areas of accountability, extra-territorial application and in sanctions. GDPR not only applies to those operating within the EU, but also to controllers/processors outside the EU, if either the offering of goods or services or the monitoring of behaviour is targeted at EU individuals. The PDPO applies to data users who control the collection, holding, processing or use of personal data in or from Hong Kong.
Furthermore, GDPR expressly states the accountability principle, which includes obligations to implement technical and organisational measures, conduct data privacy impact assessments and implement ‘privacy by design’. A data protection officer must be designated if data processing is (a) conducted by a public body, (b) involves large-scale data subject monitoring or (c) specifically involves large-scale sensitive data processing.
In the PDPO, however, the accountability principle is not explicitly stated, but a privacy management programme is advocated by the Privacy Commissioner, which includes the appointment of data protection officers and the conduct of data privacy impact assessments.
Fines and Penalties:
The sanctions under GDPR include administrative fines on data controllers/processors of up to the greater of EUR 20 million (USD 22.8 million) or 4 percent of global annual turnover for serious breaches. In Hong Kong, the Privacy Commissioner is empowered to serve enforcement notices on data users, the contravention of which can lead to penalties (following judicial processes) of up to HKD 1 million (USD 128,000) and imprisonment for up to five years.
Defining Personal Data:
The most significant differences between GDPR and the PDPO in terms of the rights granted to individuals relate to the definition of ‘personal data’, which defines the scope of data that can be classified as personal, while differentiating between sensitive and non-sensitive data. GDPR defines personal data to mean ‘any information relating to an identified or identifiable natural person’. As such, GDPR includes information such as genetic data and biometric data in its definition.
The PDPO does not provide a distinction between sensitive and non-sensitive personal data for all purposes. It defines ‘personal data’ to mean any data (a) relating directly or indirectly to a living individual, (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and (c) in a form in which access to or processing of the data is practicable.
Rights of Individuals:
An essential component of GDPR is the requirement for consent, whereby consent for data processing must be freely given, specific, informed and unambiguous by a statement or a clear affirmative action from a data subject. Under the PDPO, however, consent is not a prerequisite for data collection, though there is a focus on data users providing notice and then a requirement for prescribed consent if the data is used for new purposes.
Both GDPR and the PDPO involve notice requirements, including those on data retention periods. But juxtaposed with GDPR, which includes the right to notice on data processing, the right to erasure of personal data, the right to restriction of processing and data portability, and the right to object to processing (including profiling); the PDPO has far fewer requirements for data users/controllers. There is no right to erasure, no right to restriction of processing and data portability, and no general right to object to processing.
As we can see, GDPR and the PDPO do have several conceptual similarities in that both require the protection of data inside a firm and controls on where it is sent externally, though some might say the PDPO has ‘smaller teeth’.
But I come back to the earlier comment we frequently hear from firms in Hong Kong: “We don’t care about GDPR. We are not in Europe.” Given the global reach of business, and the unimpeded international flow of data, should people care more about the concepts of data privacy as described under GDPR, in spite of their geography? The EU is often seen as having some of the highest regulatory standards in the world – standards other jurisdictions often try to emulate in their own practices.
Should Hong Kong look to refresh the PDPO to take into account the rapid digitalisation of the world we live in today? Time will tell, but it is a question worth asking.
Peter Lancos is Co-Founder and CEO of Exate Technology, with 30 years’ experience in banking. Jennifer is an Analyst at Exate Technology and has authored multiple papers on data privacy.