Change is coming: Proposed Mandatory Data Breach Notice Requirements in Hong Kong

11Sep2020

On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to personal data privacy law in Hong Kong. In another in his series looking at the implications of the proposed changes1, Pádraig Walsh from the Personal Data Privacy and Cybersecurity practice group of Tanner De Witt reviews and assesses the proposal to introduce mandatory personal data breach notification requirements.

The current position

Presently, Hong Kong law does not require a data user to notify either the Privacy Commissioner or data subjects that a personal data breach has occurred. Nonetheless, businesses in Hong Kong already have good guidance from the Privacy Commissioner on what he believes is good practice when responding to a personal data breach. A suggested personal data breach notification form has been published since 20102, and guidelines have been updated as recently as 20193.

Recently, in the personal data breach that occurred to Cathay Pacific and Hong Kong Dragon Airlines (as it was then known), suspicious activity was first observed on 13 March 2018. A voluntary personal data breach notification was made to the Privacy Commissioner and data subjects on 24 and 25 October 2018 respectively – almost seven months later. The Privacy Commissioner noted in his Investigation Report4 that this did not contravene the Personal Data (Privacy) Ordinance. This was the case even though there were approximately 9.4 million affected data subjects. However, the Privacy Commissioner did express his opinion that Cathay Pacific could have notified the affected data subjects of the suspicious activity once detected, and advised them of the appropriate steps to take earlier5.

It was clear that voluntary notifications were not working. It was only a matter of time before the Privacy Commissioner revisited this perceived gap in our personal data privacy regime. That time has come.

The international practice

The international gold standard practice is set by the mandatory breach notification requirements under GDPR. Businesses must notify their supervisory authority in the EU without undue delay, and where feasible, no later than 72 hours after becoming aware of it6. Notification is not needed if the breach is unlikely to result in a risk to the rights and freedoms of individuals. Businesses must also notify data subjects without undue delay if the breach is likely to result in a high risk to the rights and freedoms of individuals, unless some limited exemptions apply7.

The content of the personal data breach notification to the supervisory authority must:

  • describe the nature of the personal data breach;
     
  • describe the categories and approximate number of data subjects concerned;
     
  • describe the categories and approximate number of personal data records concerned;
     
  • state the name and contact details of the data protection officer or other contact point where more information can be obtained;
     
  • describe the likely consequences of the personal data breach; and
     
  • describe the measures taken or proposed to be taken by the business to address the personal data breach, including measures to mitigate its possible adverse effects.

The content of the personal data breach notification to the data subject must be in clear and plain language, and must:

  • state the name and contact details of the data protection officer or other contact point where more information can be obtained;
     
  • describe the likely consequences of the personal data breach; and
     
  • describe the measures taken or proposed to be taken by the business to address the personal data breach, including measures to mitigate its possible adverse effects.

The most striking feature of the GDPR mandatory breach notification obligation is the 72 hour period for notifying the supervisory authority. This is an aggressive timeframe. A business would not be able to adequately deliver the content needed in the notification unless it has adopted privacy by design principles to equip itself with the technical resources to have that information readily to hand in a crisis situation. Apart from Australia (which has a 30 day notification period), other jurisdictions reviewed by the Privacy Commissioner did not impose a specific timeframe. They merely required notification as soon as practicable.

Although mandatory breach notification is not ubiquitous, many peer jurisdictions in Asia have either implemented breach notification obligations (e.g. Philippines, Thailand), or are planning to do so (e.g. Singapore). This is an example of GDPR setting the standard, and other jurisdictions converging to that standard. Hong Kong is part of that trend.

The proposed changes in Hong Kong

Here is a summary of the changes proposed in Hong Kong, and our comments on them:

Personal data breach: This will be defined to mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Comments:

  • This is the same definition as GDPR.
     
  • Businesses will need to be aware that a personal data breach will occur even for accidental breaches; it is not just related to unlawful acts. So, for instance, a business will need to consider making a notification if an employee loses a work laptop in a taxi that contains personal data.
     
  • Unauthorised access to personal data can also be a personal data breach – even if no loss or disclosure of personal data occurs.

Notification threshold: The proposal is that a data user must report a personal data breach that has a real risk of significant harm, and the notification must be made to the Privacy Commissioner and the affected data subjects. 

Comments:

  • GDPR uses a different threshold for notifications to the supervisory authority and to data subjects. Under GDPR, a notification must be made to the supervisory authority if the breach is likely to result in a risk to data subjects, and to data subjects if the breach is likely to result in a high risk to data subjects. The changes in Hong Kong will use a single common standard notification threshold for the Privacy Commissioner and for affected data subjects. This is set to the standard of a real risk of significant harm – which is similar to the high risk standard used in GDPR. This may reduce the volume of notifications, and could help the Privacy Commissioner in Hong Kong to avoid the distraction of being required by statute to respond to or oversee relatively trivial personal data breaches.
     
  • GDPR frames the personal data breach threshold as a risk to the “rights and freedoms of individuals”. This language reflects that in the EU privacy and personal data protection has conventionally been viewed as a protected human right. Arguably, Hong Kong does not share this perspective to the same extent.
     
  • The Privacy Commissioner is giving further consideration to the factors the data user should take into account when determining whether a personal data breach has reached that notification threshold. The likely factors will include the type, sensitivity and amount of personal data leaked; the security level of the personal data involved; the number of affected data subjects; and any special characteristics of the personal data breach, the date user or the data subjects.

Notification timeframe: The obligation to notify the Privacy Commissioner will need to be fulfilled as soon as practicable but not more than five business days after the data user becomes aware of the personal data breach. The Privacy Commissioner will be empowered to direct the data user to notify the affected data subjects within a timeframe he prescribes. This will take account of the need to allow the data user to investigate and verify the suspected personal data breach incident before notifying affected data subjects.

Comments:

  • The Privacy Commissioner is opting for a reporting period of five business days. This is less aggressive than GDPR, or the proposals for change in Singapore (which are also based on 72 hours). However, it is still a challenging time frame. Businesses will need to ensure it has the systems, policies and procedures in place to respond swiftly when it learns of a personal data breach. Otherwise, it will be difficult, if not impossible, to respond with the information needed within the notification timeframe.
     
  • The Privacy Commissioner seems to be considering a two-stage approach to notification to affected data subjects. In the first stage, the data user must notify the Privacy Commissioner no later than five business days after learning of the personal data breach. Then in the second stage, the Privacy Commissioner will give a direction on if and when data subjects must be notified, and the data user must comply with that direction. This places the onus on the Privacy Commissioner to dictate the timing of notifications to affected data subjects.
     
  • We expect this two-stage approach proposal to be modified in the course of introducing the legislation. We expect that the data user will be placed under the obligation to notify data subjects as soon as practicable, unless an exemption applies. Then, the Privacy Commissioner’s role will be to review and direct what can be considered “as soon as practicable”.
     
  • Businesses should prepare for the general expectation that notification to affected data subjects (if needed) should be given at or shortly after the notification to the Privacy Commissioner. Again, businesses will need to ensure it has the systems, policies and procedures in place to meet this obligation.

Mode of notification: Notification to the Privacy Commissioner will be a written notification by way of email, fax or post. Information to be included in the notification will include:

  • description of the data security incident;
     
  • cause of the personal data breach;
     
  • type and amount of personal data involved;
     
  • assessment of the risk of harm;
     
  • remedial action taken by the data user to mitigate the risk of harm; and
     
  • action that data subjects should take.

Comments:

  • There are no surprises here. These topics are similar to those specified under GDPR, and also in the sample Data Breach Notification Form published by the Privacy Commissioner. We can expect that the Privacy Commissioner will provide templates of and guidelines on the notification mechanism to facilitate notification by data users.
     
  • No definitive guidance is given yet on the mode of notification to affected data subjects. We expect that this will be by direct notification, but with the possibility of using other means of mass publication and notification if direct notification is too burdensome.

Final thoughts

One of the challenges in breach notifications is to ensure consistent, accurate and complete communication of information to all persons that need to be notified. This applies on a number of levels. Communications certainly have a legal component, particularly with regulators. Businesses will need to consider its data breach reporting obligations to regulators other than the Privacy Commissioner – particularly in the financial services sector. However, the subject of communication management is broader than just regulatory reporting obligations. The engagement of public relations and communication consultants with experience in crisis communications is often a necessary, prudent and helpful step.

Businesses should think now about its response team if a personal data breach is identified. The response team should include:

  • an executive with decision-making authority;
     
  • a team leader responsible for overall coordination;
     
  • external legal counsel;
     
  • internal security and IT personnel;
     
  • external technical experts; and
     
  • representatives from key functions including legal, human resources, customer relations, public relations, operations, and finances.

A very practical tip is that businesses should clear engagement and onboarding processes with external advisers it intends to use if a personal data breach occurs. AML and KYC processes are such that it might take days, or in extreme cases, weeks, to conclude those processes. This will be a significant obstacle when facing a five business day notification timeframe to the Privacy Commissioner.

It is important to involve external legal counsel from the start. In the course of its legal advice, external legal counsel may engage external technical experts, gather information about the breach and provide legal advice. This early involvement may help legal professional privilege to attach to confidential internal and external communications about the personal data breach.

One absent feature from the proposals is to impose a requirement on a business to formally appoint a data protection officer, and to place certain statutory duties and responsibilities on the data protection officer. This would be an effective means to ensure that the Privacy Commissioner has a point of contact to work with in overseeing the response to a personal data breach. This is one of the key functions of a data protection officer in other jurisdictions that have them.

The Privacy Commissioner has explained that the primary purpose for proposing a mandatory personal data breach notification is to help ensure that the Privacy Commissioner can monitor the handling of personal data breaches by the businesses concerned, and to give businesses the opportunity to seek instructions from the Privacy Commissioner for follow-up to mitigate or prevent further damage resulting from the personal data breach. This is consistent with the policy and philosophy of the Privacy Commissioner. Mandatory personal data breach notifications may be challenging, but they need not necessarily be feared.

Next steps

Although the legislative process can be uncertain in Hong Kong, we expect the proposals to be introduced to the Legislative Council this year, and they may be passed into law in the course of 2021.

Businesses should give serious consideration now to how it will cope with mandatory breach notification obligations. Businesses should not wait until a crisis occurs to practice managing one. In a crisis, people do not rise to the level of expectation; they fall to the level of their training.

Now is the time to:

  • prepare or review systems, policies and procedures to facilitate the response to a personal data breach.
     
  • identify the crisis management team – internal and external – to be instructed if a personal data breach occurs.
     
  • clear engagement and onboarding processes now with the selected external team.
     
  • conduct training and simulated exercises to prepare for a personal data breach crisis response.
     
  • keep regularly updated on the implementation of these proposed new laws.

We, at Tanner De Witt, can help you with these steps. Start preparing. Change is on the way.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.


1 See our other articles giving an overall summary of the changes, the change to the definition of personal data, and the proposed administrative fining powers.
2 See this link
3 See this link
4 Paragraph 69
5 Paragraph 71
6 Article 33, GDPR
7 Article 34, GDPR