Change is coming: Direct regulation of data processors

16Oct2020

On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to personal data privacy law in Hong Kong. In another in his series looking at the implications of the proposed changes, Pádraig Walsh from the Personal Data Privacy and Cybersecurity practice group of Tanner De Witt reviews and assesses the proposal for direct regulation of data processors.

What are data processors?

Data processors play a critical and important role in how businesses operate, but the man in the street many not appreciate the full scope of that role. What, then, is a data processor?

Technically, a data processor is a person who processes personal data on behalf of another person (a data user), instead of for his own purposes. A data processing arrangement is typically for specific purposes and in relation to specific services offered to the data user.

A data processor processes data. So, what is processing? The interpretation in Hong Kong is illustrative, rather than exhaustive. Processing includes amending, augmenting, deleting or rearranging the data, including by automated means.

It always helps to make concepts concrete. Here are some common examples of data processors:

  • outsourced payroll service providers
  • HR consultants
  • marketing agencies
  • CRM service providers
  • outsourced call centres
  • third party document shredder / destruction providers
  • logistics and shipping service providers

Often, the web of relationships can be many and complex. A data processor may use sub-processors. A data user could use different data processors for the same or similar services. The data processor may transfer data to third parties for separate use by that third party. Sometimes, a data processor will use data both for the purposes of the data user, and also for his own uses – and hence also become a data user.

This can get very complex very fast. Add into the mix:

  • Data processors may be in another jurisdiction, and subject to laws and regulations there.
  • Processing covers a broad range of activities, some of which may not intuitively seem like processing.
  • Data processors can range from the sophisticated to the unsophisticated.

So, the role of the data processor is increasingly important in society, but arrangements with data processors are difficult to navigate and regulate.

What is the current position?

The current position is quite simple. The Privacy Commissioner does not directly regulate data processors. Instead, data users are required to ensure that their data processors meet certain requirements under Hong Kong data privacy laws.

This approach was adopted in changes to Hong Kong laws that were implemented in 2012. No new obligations were placed on data processors. Instead, data users were required to adopt contractual or other means[1] to:

  • prevent the data processor from keeping personal data for longer than is necessary (Data Protection Principle 2); and
  • prevent unauthorised or accidental access, processing, erasure, loss or use of personal data (Data Protection Principle 4).

The world was a different place in 2012. Then, the role of data processors was not fully evolved. That evolution has been dynamic and dramatic in the intervening years. We are now in an era of outsourcing and enhanced data analytics.

The present regulatory approach has some obvious deficiencies in light of these rapid changes:

  • Current regulation will not apply to a data processor in Hong Kong that acts purely on behalf of an overseas data user. The Privacy Commissioner has no standing to investigate breaches of Data Protection Principles (DPP) in this situation.
  • The apportionment of responsibility and liability between data users and data processors is often unclear or unstated.
  • The advent of cloud services has complicated the jurisdictional issues and the ability of the Privacy Commissioner to investigate breaches in data centres. If the Privacy Commissioner is potentially unable to investigate date breaches at data centres operated by cloud service providers, then this may one factor that adversely affects Hong Kong’s position as a data hub.

So, an update to the regulatory standards is very welcome.

The experience elsewhere

Direct regulation of data processors (sometimes combined with indirect regulation via the data controller[2]) is the regulatory approach in Australia, Canada, New Zealand, Singapore, and the EU. Let’s look at the EU under the General Data Protection Regulation (GDPR) as an illustrative example.

Here are some of the requirements under GDPR in respect of the direct regulation of data processors:

  • The data processor must maintain records of processing activities.
  • The data processor is held accountable if it does not process data in accordance with the data controller’s instructions.
  • The data processor must ensure security of personal data.
  • The data processor must report data breaches to the data controller promptly.
  • The data processor must appoint a data protection officer.
  • A data processor that outside the EU that processes the personal data of EU persons must appoint a representative in the EU.
  • The data processor must comply with provisions on cross-border data transfer.
  • The data processor must assist with data subject requests, data breach reporting and investigation, and data impact assessments.
  • The data processor cannot use another sub-processor unless it has specific consent of the data controller.

That’s a lot of direct regulation!

These are examples of indirect regulation under GDPR where the activities of the data processor are subject to specific responsibilities of the data controller:

  • The data controller must only appoint data processors that can provide sufficient guarantees in respect of technical and organisational measures that meet GDPR requirements.
  • The data controller must have a written contract with its data processors under an EU Member State law, and use standard contractual clauses in those contracts signed with data processors.

These obligations are the high water mark in international regulation of data processors, but still reflect the reality that data processors are often the key persons in the use of personal data.

The proposal in Hong Kong

The proposals for change in data processor regulation in Hong Kong are pragmatic and reasonable. The intention is to build on the indirect regulation brought into force in 2012. The Privacy Commissioner will have powers of direct regulation and supervision in respect of:

Data retention period: Presently, data users must adopt contractual or other means to prevent personal data transferred to the data processor from being kept longer than is necessary for processing of the data. This will be upgraded to a direct obligation of the data processor that will be subject to regulatory oversight by the Privacy Commissioner. The current slate of proposals will require all data users to adopt a Data Retention Policy[3]. It would be logical for this obligation to also be extended to data processors.

Security: Presently, data users must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. This too will be upgraded to a direct obligation of the data processor.

Breach notification: There will be a direct obligation on data processors to notify its data user and the Privacy Commissioner of data breaches without undue delay. No specific time frame has been announced. The current proposals include a mandatory notification obligation on data users to notify the Privacy Commissioner[4] within five working days. Even if the time frame is not specified, we expect the Privacy Commissioner will expect the notification time frame for data processors to be the same period (if not less).

As these will be direct obligations of data processors, we can expect that breach of these obligations will trigger the planned administrative fining powers of the Privacy Commissioner[5]. This will mean that data processors may have an exposure to fines based on their turnover.

Conclusion

The Privacy Commissioner is not advocating the full suite of obligations included in GDPR. Instead, it is proposing incremental change. However, these changes will help the Privacy Commissioner to fill the gaps in the existing legislation, and follow through on investigation and enforcement of poor practices by data processors located in Hong Kong.

What should data processors do now? Here are some immediate steps to take:

Data retention obligations

  • Conduct a data inventory and data mapping exercise.
  • Understand the personal data the data processor currently holds, and how that personal data is used.
  • Critically review the current Privacy Policy of the data processor.
  • Ensure that the use of personal data is consistent with the Privacy Policy of the data processor.
  • Prepare and implement a Data Retention Policy, which is a key instrument in achieving data minimization.
  • Securely destroy any personal data still being held for a data user, but for which all data processing has been completed.

Data security and reporting obligations

  • Review the information security policies and ensure that proper systems, controls and reviews are implemented in respect of information security.
  • Review data breach policies, and ensure reporting is in place to ensure immediate notification of data breach or data loss.
  • Put in place a data response team comprising internal stakeholders, data user contact points, and external technical and legal advisers, so that swift and accurate data breach reporting can be implemented.

Contractual obligations

  • Review contractual arrangements with data users, and ensure that data processor obligations are clearly stated and risk and liability are fairly shared.
  • Prepare a form of Data Processing Agreement (or addendum) that the data processor can propose for future data processing arrangements.

That’s a lot of preparation and a lot of work. Change is indeed coming, and we, at Tanner De Witt, are ready to help.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail
Kevin Warburton
Partner | E-mail
Edmond Leung
Partner | E-mail
Jeff Lane
Partner | E-mail

[1] Here is a helpful Information Guide on outsourcing data processing from the Privacy Commissioner: link

[2] Data controller is the term used in many other jurisdictions to refer to a data user.

[3] Read our article on the proposed Data Retention Policy obligations here.

[4] Read our article on the proposed mandatory breach notice obligations here.

[5] Read our article on the proposed administrative fining powers of the Privacy Commissioner here.