How cyber security breaches impact personal data protection in particular in relation to the European Union General Data Protection Regulation (GDPR) on Hong Kong businesses

The news of cyber security breaches come waves after waves. Cathay Pacific leaks information consist of passengers’ names, nationalities, dates of birth, travel document numbers and historical travel details. The hacking of Marriott’s Starwood reservation system exposes data of up to 500 million guests. Just over a week ago, Hong Kong credit reporting agency TransUnion was forced to suspend its online services over unauthorised access of personal credit information.

Hong Kong business has largely ignored the EU General Data Protection Regulation (GDPR) that replaced the preceding data protection laws in all European Union (EU) countries on 25 May 2018. The potential impact of GDPR on Hong Kong business with ineffective cyber security measures could be severe.
GDPR primarily affects organisations operating within the EU.  Nevertheless, the GDPR extends the territorial scope of the EU data protection laws to any organisation dealing with EU businesses, or the personal data of EU subjects. Given the diversified businesses or transaction models (e.g. online hotel bookings), GDPR may possibly impact companies in Hong Kong with establishment in EU, or if these companies are offering goods and services to individuals in EU, or even monitoring the behaviour of these individuals.
GDPR replaced the original EU Data Protection Directive 95/46/EC, in which the Hong Kong Personal Data (Privacy) Ordinance (PDPO) was largely modelled. The core of PDPO covering the life cycle of a piece of personal data, in which everyone who is responsible for handling data (data user) should follow the 6 data protection principles, they are: 
  • Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. (Data Collection Principle)
  • Practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used. (Accuracy & Retention Principle)
  • Personal data must be used for the purpose for which the data is collected or for a directly related purpose. (Data Use Principle)
  • A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use. (Data Security Principle)
  • A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used. (Openness Principle)
  • A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate. (Data Access & Correction Principle)
In addition to observing the 6 data protection principles, the new GDPR incorporates heavy sanctions for non-compliance, businesses may be subject to fines of up to €20million or 4% of annual global turnover, whichever is higher, for certain infringements. In Hong Kong, non-compliance with PDPO does not constitute a criminal offence directly, the Privacy Commissioner may serve an enforcement notice to direct the data user to remedy the contravention, only disobeying of an enforcement notice is an offence which could result in a maximum fine of HK$50,000 and imprisonment for 2 years.
One of the new GDPR rule in which PDPO does not have a provision is data user must notify relevant supervisory authority within 72 hours of becoming aware of data security breach, and inform affected individuals. Cathay Pacific took 7 months to alert its 9.4 million passengers of the vast personal data leak. Cathay Pacific may have narrowly escaped penalty as the breach was discovered about three months before GDPR came to effect. Marriott may not be as lucky with the recent reveal of personal data breaches, given the volume and sensitivity of personal data taken, and the length of the breach, it has the potential to trigger the first GDPR’s sanction. Another new GDPR rule that PDPO does not have is the provision of individuals to have enhanced rights in respect of their personal data, such as the right to be forgotten.
Just as we are enthralling the data breaches of Cathay Pacific and Marriott, the news of a Hong Kong consumer credit reporting agency TransUnion was forced to suspend its online services by the end of November after a local newspaper published that it was able to easily access the credit information of the city’s Chief Executive and Financial Secretary. It is time to get serious about Cyber Security.
With the proliferation of on-line and mobile application to Internet of Things (IOT), the network of devices, vehicles, and home appliances that contain electronics, software, and connectivity which allows these things to connect, interact and exchange data such as remote health monitoring, self-driven electric vehicle and smart refrigerator. Individual financial and credit information and data on personal behaviour are exchanged and analysed by Big-Data computers incessantly. Hong Kong regulations are lagging behind and must be strengthened to protect personal data from the rapid development of cyberspace.GDPR-Cybersecurity-graph-2.JPG
In managing its data security and privacy, the next steps for an organisation is to adopt and maintain a comprehensive Privacy Management Programme (PMP) which is a framework used to assist in building a privacy infrastructure including the implementation of a cyber-resilient programme, setting up a reporting mechanism for breach notification and developing risk assessment tools, and an effective review and monitoring process. The cyber-resilient programme helps to identify, detect and protect an organisation from vulnerabilities and threats of technologies and applications.
Whether your organisation has any association to Europe, data security and privacy protection must be on top of your agenda.  Nonetheless, if your organisations in Hong Kong has connection to Europe, whether through customers, affiliates or business partners, it should be a matter of urgency to consider the potential impact of the GDPR given it has become effective and the potentially significant penalties.