Data privacy: Europe does a check up; Hong Kong just trusts

Last month, the Office of the Privacy Commissioner for Personal Data in Hong Kong said Facebook account holders in Hong Kong were not affected in the data misuse scandal involving Cambridge Analytica after a compliance check.


But the announcement also puts the city’s data privacy protection law into the limelight, highlighting its limitations at a time when technology is evolving quickly.

The Personal Data (Privacy) Ordinance has been in place since 1996. The last amendment was in 2013.

The compliance check came after the UK-based political research firm was found to have access to around 87 million Facebook users’ data that was used to influence the general election in the U.S.

The scandal sparked an uproar in the U.S. and set off a heated debate on data privacy protection. In Hong Kong, legislators asked the Privacy Commissioner to look into the matter.

Limited reach

In its response on August 22, the Privacy Commissioner for Personal Data (PCPD) said “the office of Facebook in Hong Kong could not be regarded as ‘data user’ under the ordinance”.

Therefore, the relevant regulatory provisions in the ordinance are “not applicable in this incident”.

In a panel discussion on data privacy on September 4, Mr Tony Lam, Deputy Privacy Commissioner of the PCPD, admitted that Hong Kong’s data privacy ordinance is strictly applicable to operations in and from Hong Kong only.

“Only when a data user – social media operator in this case – controls the collection, holding, processing or use of personal data in Hong Kong or exercise such control from Hong Kong, the ordinance can take effect,” said Mr Lam.

In this case, Facebook Ireland is not a company based in Hong Kong, so the ordinance does not apply. It doesn’t mean it didn’t happen – just that the law in Hong Kong provides no view on the whole situation.

The “non-copyable” GDPR model

At the height of the global debate on data privacy protection, the EU rolled out the comprehensive EU General Data Protection Regulation (GDPR).

Starting from May, the regulation pertains to organisations established in non-EU jurisdictions whenever individuals in the EU are involved.

When asked if Hong Kong’s data privacy protection law can follow suit to cover foreign companies and offshore operations, Mr Lam did not have an answer but said the ordinance is being reviewed.

He also said the strict requirements under the GDPR might not be acceptable for Hong Kong organisations.

“We need the society to come up with a consensus before copying things from the GDPR,” he said. “For example, the GDPR requires mandatory notification of data breach, while it is voluntary in Hong Kong.”

Another difference is that the GDPR requires explicit consent for data collection, while consent is not a prerequisite for data collection in Hong Kong.

The GDPR also stipulates a fine of up to four percent of total worldwide annual turnover, while Hong Kong’s Privacy Commissioner cannot impose any penalties.

We just trust

A major challenge to data protection is the ever-evolving nature of both technology and commercial operations. Legislation might not be able to keep pace with the changes.

For example, the end goal of data collection may not always be clear when artificial intelligence (AI) gets involved.

“Nowadays, we talk about AI and big data analytics. When data is collected, the company may not be able to foresee how the data will be used later on,” Mr Lam noted.

According to Mr Lam, Hong Kong’s personal data privacy ordinance is technology-neutral, so singling out any piece of technology would not be the right approach. Otherwise, the ordinance would not be sustainable.

But instead of detailing how the ordinance can be improved to address the evolving development, Mr Lam turned the focus to how companies should take the initiative to protect their clients’ privacy.

“We encourage the companies to adopt the Privacy Management Programme, build an inventory and review how the data they collect is processed,” he said.

“Companies should have a sense of corporate data responsibility, as it is also a form of corporate social responsibility,” he said.

(Printer – R&R Publishing Limited, Suite 705, 7/F, Cheong K. Building, 84-86 Des Voeux Road Central, HK)