Change is coming: Administrative fining powers of the Privacy Commissioner

On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to personal data privacy law in Hong Kong. In another in his series looking at the implications of the proposed changes, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews and assesses the proposal to grant the Privacy Commissioner administrative fining powers.

Administrative fines are the poster child of regulation. It’s the equivalent of the star striker. There may be ten other players in the team, but it is he who puts the ball in the net who gets the headlines. When GDPR was introduced, among all the sweeping changes, the administrative power of data privacy regulators to impose a fine of 4% of global revenue caught the most attention.

Why are administrative fines important? Looking at the here and now highlights the gap in the enforcement of data privacy regulation in Hong Kong.

The current position

The position at present is quite simple. The Privacy Commissioner has no statutory power to impose an administrative fine.

The current mechanism for enforcing data protection principles (DPP) is that the Privacy Commissioner may issue an enforcement notice requiring a data user to remedy a data user’s breach of DPPs. The data user could be fined or imprisoned if the breach continues after the period stipulated in the enforcement notice – but to do so would require a criminal prosecution brought by the Department of Justice. This is cumbersome, and takes time.

The amount of the criminal fines themselves do not carry a strong deterrent effect. Failure to comply with an enforcement notice can attract a fine of up to HK$50,000. From 1996 to June 2020, only 35 cases resulted in conviction by court (which were mostly for direct marketing offences), and the fines imposed were all relatively low. So, privacy protection is not a prosecution priority, and when prosecutions occur, the outcome does not yield a deterrent effect.

The current enforcement position does not help the Privacy Commissioner to deliver a robust answer to the naysayers who might ask, so what? Yes, personal data privacy is important. Yes, it is a human right. Yes, there are statutory obligations. Yes, there are principles and good governance you should follow. But, if you don’t … so what? Right now the answer is you might get an enforcement notice, and after a while, you might be prosecuted, and if you do, you might get a fine (and not a big fine). There’s a gap to be filled.

The experience elsewhere

The power of data privacy regulators to impose administrative fines is not ubiquitous. Data protection regulators in Canada, Australia, Japan and New Zealand do not have fining powers. However, many key jurisdictions have introduced this power. These include Singapore, South Korea, UK, and the EU. Also, administrative fining powers are included in new legislation pending introduction in India and Thailand. The trend is clear.

The real barometer for the impact of introducing administrative fining powers is the EU.

The administrative fining powers under GDPR apply to all businesses, large and small. The fine-setting approach is intended to be flexible and adjustable to the size of the business. This is achieved by measuring the fine by reference to the revenue of the business, as one of the alternative measures for assessing the fine. However, the maximum possible fines are significant enough to have a deterrent effect.

There are two tiers of fining under GDPR – one for less serious infractions, and the other for more serious breaches.

The less severe infringements could result in a fine of up to €10 million, or 2% of the business’ worldwide annual revenue in the preceding financial year, whichever is higher. These include breach of basic procedural requirements for data controllers and data processors, and the requirements that apply to certification and monitoring bodies.

The more severe cases can result in a fine of the higher of up to €20 million, or 4% of the business’ worldwide annual revenue in the preceding financial year. More severe cases include breach of provisions relating to collection of sensitive personal data, unlawful collection or processing, not obtaining consent for collection or processing when needed, not fulfilling data subject rights, and breach of transfer obligations for personal data for transfers to a third party or a non-EU country[1].

Any fine is imposed after an assessment of the breach by the data protection regulator. This takes into account a range of factors, including:

• Gravity: How many data subjects were affected, and what was the level of damage suffered by them?
• Intention: Was the infringement the result of an intentional act?
• Mitigation: Did the data controller or data processor act promptly to mitigate the damage suffered by data subjects?
• Responsibility: Did the data controller or data processor take steps before the breach in respect of privacy by design and default, and other security measures?
• History: Are there prior infringements?
• Co-operation: Did the data controller or data processor co-operate with the data protection regulator?
• Sensitivity: Were any sensitive categories of personal data affected by the infringement?
• Notification: Did the data controller or data processor notify the data protection regulator promptly and fully?
• Certification: Did the data controller or data processor adhere to approved codes of conduct or certfications in its business?
• Other factors: Are there any other aggravating or mitigating factors?
• One fine: If there are multiple GDPR violations from the same processing operation, only the most severe violation will be the subject of the fine.

There have been some breathtaking fines imposed under GDPR that have attracted significant media attention. Here are the current top five fines[2]:

	Data controller	Euros	Country
1.	British Airways[3]	€204,600,000	United Kingdom
2.	Marriott International[4]	€110,390,200	United Kingdom
3.	Google	€50,000,000	France
4.	H&M	€35,258,708	Germany
5.	TIM	€27,800,000	Italy

The introduction of administrative fines of this magnitude has supported the level of awareness of GDPR, and this approach has assisted in achieving a higher standard of adherence to data privacy principles.

The proposal

Reviewing how GDPR has approached administrative fines is important. It sheds light on the approach to adopt when other jurisdictions consider taking the same step. Let’s look at the proposal to introduce administrative fines in Hong Kong.

The basic proposal is that the Privacy Commissioner will be conferred with powers to impose administrative fines. The maximum level of fine will be a fixed amount or a percentage of the annual turnover, whichever is higher. The maximum levels have not been announced. Also, it is not known whether the turnover in question will be global turnover, or turnover within Hong Kong. The Privacy Commissioner is considering classifying data users of different scales according to their turnovers to match with different levels of administrative fines. This suggests that there will also be a tiered level of administrative fines to distinguish between procedural and more serious breaches.

The Privacy Commissioner will also publish a set of factors to consider in respect of a fine. These will include:

• the nature of the data compromised;
• the severity of the data breach;
• the data user’s level of intent in respect of the breach;
• the attitude adopted by the data user in respect of breach handling;
• remedial action taken by the data user; and
• the track record of the data user.

The administrative procedure for imposing an administrative fine will follow processes intended to reflect a degree of natural justice. The Privacy Commissioner will issue the data user a notice of intention to impose an administrative fine specifying:

• the circumstances of the breach;
• the investigation findings;
• the indicative level of fine; and
• the rationale for the penalty.

The data user will be given at least 21 days to make representations after the notice of intention. Once the administrative fine is made final and imposed by the Privacy Commissioner, the data user may appeal to the Court or the Administrative Appeals Board against the notice within 28 days.

Administrative fines will be credited to the Hong Kong government.

Fines or penalties?

On 4 March 2020, the Information Commissioner Office in the United Kingdom imposed a fine of GBP£500,000 (or €552,000 at current prevailing rates) on Cathay Pacific, a Hong Kong business, for failing to protect the security of its customers’ personal data[5]. This was under the UK Data Protection Act 1998 that preceded GDPR. If GDPR had applies, the nature of the breach would have been assessed under the higher tier of administrative fines and the maximum possible fine could have been up to €550,000,000. Is it conceivable that a regulator (not a Court) could impose an administrative fine of that amount in Hong Kong?

A series of Hong Kong cases has looked at administrative fining powers of regulatory bodies. The cases assess whether administrative fining powers are punitive in nature. If so, this would result in the administration of criminal justice outside of the Courts, and that is contrary to the Basic Law in Hong Kong. These cases recognise and support the importance of administrative tribunals and bodies in providing speedy, cheaper and more accessible justice than Courts in some circumstances. Typically, those circumstances are reviewing breaches of new statutory obligations.

In the first stage of the proposed administrative process, the Privacy Commissioner will act as prosecutor and judge. This is similar to the role of the Securities and Futures Commission (SFC) or the Hong Kong Monetary Authority, and their role as regulator has come before the Hong Kong courts. The SFC must police conduct among licensed persons in the financial markets in Hong Kong, and take disciplinary action where it believes there has been misconduct. The Courts have refused an application for judicial review against disciplinary proceedings of the SFC[6]. This was on the basis that there was already a speedy and inexpensive administrative review and appeal process in place, and the Court recognised that the SFC was not required to follow the full rigours of a court process.

In the second stage of the proposed administrative process, the data user may appeal to the Administrative Appeals Board. Appeals from disciplinary decisions of the SFC have a similar right of appeal to the Securities and Futures Appeal Tribunal (SFAT). The Court has responded to challenges to the jurisdiction of the SFAT, and havereaffirmed that administrative tribunals are different to criminal courts[7]. Administrative tribunals and bodies do not decide criminal guilt or impose a penal sanction or punishment, nor do they decide civil liability. Tribunals establish and perform a regulatory and protective role. Even though sanctions may have a deterrent effect, their primary purpose is protective. Also, the appeal process ensures natural justice would be served by having a full adversarial hearing before an independent tribunal comprised of people suited to make the decision[8].

We can look to echoes of these principles in the preparation for GDPR in the EU. The EU has directed that data protection regulators should identify a corrective measure that is effective, proportionate and dissuasive[9]. Andrea Jelinek, chair of the European Data Protection Board, stated that the first task was not to fine companies, but to look if they are compliant[10]. The primary purpose is protective. Other data protection authorities stated that fines would only follow a long and detailed assessment of accountability that resulted in identifying an infringement[11]. Accountability and protection again are highlighted. It’s also quite clear that the general trend is for fines to be well below the maximum permitted levels.

The Privacy Commissioner is taking a similar approach in respect of the proposals in Hong Kong. The Privacy Commissioner is not seeking a transfer of existing enforcement powers, or to oust the current criminal prosecution powers. In fact, the Privacy Commissioner is seeking to enhance and increase criminal fines available to the Courts. The public pronouncements of the Privacy Commissioner have been focused on encouraging better personal data protection.

The new administrative fining powers may not be immune from challenge. There may be concerns that personal data privacy regulation applies to all data users, data processors and data subjects in Hong Kong, and not a discrete class of regulated persons. Some challenge may be made if the level of fines proposed in the coming laws are framed to have a primarily punitive effect. However, the balance of the jurisprudence suggests that the proposals by the Privacy Commissioner are consistent with Hong Kong laws on administrative tribunals and powers.

Conclusion

The introduction of administrative fining powers by the Privacy Commissioner will mark a significant change to the enforcement landscape for personal data protection in Hong Kong. The through line from accountability to enforcement will be stronger and more direct, and personal data protection will be better as a result.

This new approach will answer the “so what?” question in personal data privacy regulation. Soon, the answer to “so what?” will be: you will be fined and it could be a big fine. This makes for better enforcement and better regulation.

What should businesses for now? We recommend:

• Conduct a holistic review of personal data protection through the data life cycle, from collection to use to storage and destruction.
• Pay particular attention to information security, and make it a paramount business imperative.
• Review and enhance policies and procedures.
• Introduce a privacy management programme to ensure good practices are fully implemented.
• Review breach reporting mechanisms and breach management systems and strategies.

The stakes are higher in enforcement actions. There will be an increased need for experienced, reliable legal representation to respond to a data breach and to an investigation.

Change is indeed coming, and we, at Tanner De Witt, are ready to help.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh Partner | E-mail

Edmond Leung Partner | E-mail

Jeff Lane Partner | E-mail

---

[1] Failure to comply with the obligations of the CJEU ruling in the Schrems II case could result in fines at the more serious level under GDPR. Read more here.

[2] See here for the enforcement tracker that monitors GDPR fines.

[3] Presently, an intention to fine only, and no final decision has been made on the ultimate fine imposed.

[4] Presently, an intention to fine only, and no final decision has been made on the ultimate fine imposed.

[5] See this link.

[6] A v Securities and Futures Commission, HCAL 64/2010, 18 August 2010, Reyes J.

[7] Luk Ka Cheung v The Market Misconduct Tribunal, [2009] 1 HKC 1

[8] Tsien Pak Cheung David v Securities and Futures Commission, [2011] 4 HKC 410

[9] WP29 Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679, WP 253.

[10] See this link.

[11] Comments of Irish Data Protection Commissioner, Helen Dixon on 3 April 2018 [link]

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.