Why the Privacy Commissioner in Hong Kong will soon have fining powers


The Information Commissioner’s Office (ICO) in the UK has fined Cathay Pacific GBP£500,000 for failing to protect the security of its customers’ personal data. Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews.

The data breach

The data breach was discovered when Cathay Pacific first detected suspicious activity on its network on 13 March 2018, with subsequent attack activity continuing to 28 August 2018. The data breach originated from unauthorised access to IT systems on 15 October 2014 and 7 May 2017. The data subjects affected were passengers of Cathay Pacific, members of Asia Miles and Marco Polo Club, and other registered users with Cathay Pacific and Hong Kong Dragon Airlines. In total, there were approximately 9.4 million affected data subjects from over 260 countries. The personal data involved consisted mainly of the name, flight number and date, title, email address, membership number, address, and phone number.

There is no mandatory statutory data breach notification requirement under Hong Kong law. Nonetheless, Cathay Pacific filed a data breach notification to the Privacy Commissioner in Hong Kong on 24 October 2018. Cathay Pacific also notified affected data subjects on the same day.

The investigation report

The Privacy Commissioner in Hong Kong issued its report on this data breach incident on 6 June 2019.

The Privacy Commissioner stated that, to meet legitimate expectations of the affected data subjects, Cathay Pacific could have notified the affected data subjects of the suspicious activity once detected and advised them of the appropriate steps to take earlier.

The Privacy Commissioner made a number of key findings, following investigation:

  • Cathay Pacific failed to identify a commonly known and exploitable vulnerability, and did not take reasonably practicable steps to protect personal data in the deployment of an internet facing server.
  • Cathay Pacific’s vulnerability scanning exercise for the internet facing server at a yearly interval was too lax in the context of effectively protecting its IT system against evolving digital threats.
  • Cathay Pacific had not taken reasonably practicable steps to protect and not expose the administrator console port of the internet facing server to the Internet.
  • Cathay Pacific failed to adopt effective multi-factor authentication to all remote access users for accessing its IT system involving personal data.
  • Cathay Pacific should not have produced unencrypted database backup files to facilitate migration of data centre without adopting effective security controls.
  • Cathay Pacific did not have an effective personal data inventory to cover all systems containing personal data.
  • Cathay Pacific did not take all reasonably practicable steps to ensure that the Hong Kong identity card numbers of the affected data subjects were not kept longer than was necessary for the fulfilment of a defunct verification purpose for which the data was used.

Based on these findings, the Privacy Commissioner issued an enforcement notice, directing Cathay Pacific to remedy these contraventions by specific actions, and required all steps to be taken within a period of three to six months.

The Privacy Commissioner did not impose a fine on Cathay Pacific. There is no statutory fining power granted to the Privacy Commissioner in Hong Kong.

The UK Information Commissioner Office Fine

111,578 of the affected data subjects in the Cathay Pacific data breach were from the UK. This brought the incident under the jurisdiction of the Information Commissioner Office (“ICO”) in the UK. The ICO issued its Monetary Policy Notice on 10 February 2020, and publicly announced its decision on 4 March 2020.

The ICO was quite critical of Cathay Pacific. Its Director of Investigations was quoted as saying:

This breach was particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system, which gave easy access to the hackers. The multiple serious deficiencies we found fell well below the standard expected. At its most basic, the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

The data breach occurred before GDPR became effective in the UK. The ICO investigated this case under the Data Protection Act 1998. Even so, the ICO had administrative fining power, and exercised this power to impose a fine of GBP£500,000, the maximum financial penalty in civil cases under those laws. If GDPR had applied to this case, the ICO would have the power to impose a civil monetary penalty of up to 4% of global turnover – GBP£470 mn in the case of Cathay Pacific.

Developments in Hong Kong

There is a lot of similarity in the investigation reports of the Privacy Commissioner in Hong Kong and the ICO in the UK. Each report stresses failures by Cathay Pacific in its handling of cybersecurity as it applied to personal data it held. Each report made similar findings in respect of data protections principles. Each report also acknowledged Cathay Pacific acted promptly, forthrightly and responsibly once it became aware of the data breach.

Yet, the contrast between the two outcomes has the most resonance. In Hong Kong, no fine. In the UK, a fine of GBP£500,000. The Cathay Pacific data breach is one of the factors that has encouraged the legislative authorities in Hong Kong to consider reviewing and updating personal data protection. The review includes proposals to:

  • introduce a mandatory data breach mechanism under which any data breach having a real risk of significant harm must be reported to the Privacy Commissioner within five business days.
  • empower the Privacy Commissioner to impose administrative fines linked to the turnover level of the data user. The administrative fining powers under GDPR in the EU are well known. Even in Asia, in Singapore the data protection authority is empowered to direct an organisation to pay a financial penalty of up to S$1 mn.
  • raise the existing level of relevant fines. Criminal fines under current legislation are set at HK$10,000, HK$50,000 and HK$100,000, depending on the offence. Fines at this level do not carry a deterrent effect. In Australia, fines of up to AU$420,000 for an individual and AU$2.1 mn for a business organisation may be ordered.

The Privacy Commissioner has recently responded to media enquiries to confirm it is refining the proposals for the relevant legislative amendments. Change is on the way. Start preparing!

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.