Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.
Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.
The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.
The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.
The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.
It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.
The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).
Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.
The government’s current proposal is too narrow, and LegCo now has a critical opportunity to strengthen this outdated law and bring it closer to better models, such as Europe’s privacy laws,” said Sophie Richardson, China director at Human Rights Watch (HRW).
“Strong protections on how people’s personal data can be collected and used will help assuage fears that mass surveillance tactics used elsewhere could spread to Hong Kong.”
HRW also wants to see the definition of personal data under the ordinance broadened, and a distinction to be made between general personal data and sensitive data, with the latter subject to stricter conditions.
It also argued for stronger rights for data subjects over how their data is used: for example, mandating firms to obtain explicit consent before using personal data, and empowering individuals to have data erased if they choose.
Such elements are all key parts of the GDPR. Various parts of the EU regulation can also be found in the new California privacy law, CCPA.