Hong Kong announced it would apply tougher penalties for data protection crimes. The decision comes after a serious breach appeared in 2018, at airline Cathay Pacific.
The amendments proposed to the regional government’s Personal Data Ordinance establish fines as a percentage of global turnover.
Depending on the severity of an incident, the commissioner might levy fines immediately, without prior notification. These proposals would mandate breach notifications to the commissioner within five days. This means a couple of days longer than GDPR rules, but represent an improvement on the current situation.
The breach of Cathay Pacific affected nine million customers. This turned into a strong signal that the data protection regime was completely inadequate. The company reported the incident after seven months, although there was no legal obligation to do so.
Privacy improvement in Hong Kong
Thus, the privacy commissioner was powerless to fine the company. So, there was only an enforcement notice for violation of privacy laws. Also, the company had to improve its cybersecurity. But the failure to comply with the order led to a fine of just HK$50,000 ($6433). So, rights groups wrote to Hong Kong’s Legislative Council (LegCo) that the proposals did not go far enough. But now, “LegCo has a huge opportunity to strengthen the outdated law and bring it closer to better models, such as Europe’s privacy laws. Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong,” said Sophie Richardson, China director at Human Rights Watch (HRW).
HRW’s representatives want to see the definition of personal data. Also, they ask for a distinction between general personal data and sensitive data. They also want to empower individuals know how the companies use their data. Also, they should have the right to ask for the right to be forgotten.