- Personal details of 9.4 million customers were stolen in 2018 but airline failed to report it for months
- New law would give companies five days to report a breach and watchdog would have power to fine offenders proportion of global income
Hong Kong's privacy laws could soon be strengthened with the government considering tougher financial penalties for companies that do not report data breaches within five days.
The move, which would bring the city in line with the European Union among others, comes in response to the hacking of Cathay Pacific in 2018, when the personal information of 9.4 million of the airline's customers were stolen in a major security breach.
Although the hack occurred in March of that year, the carrier did not report it until October, and critics have long said the law lacks teeth in the face of rapid technological advances, a criticism Privacy Commissioner Stephen Wong Kai-yi has accepted.
Presently, individuals or companies involved in data breaches are under no obligation to report the incident. The privacy watchdog could issue an enforcement notice against violation of privacy laws, but only a failure to comply with directives would attract a fine of HK$50,000 or two years in prison.
Personal data of 9.4 million Cathay Pacific passengers leaked
The proposed amendments to the Personal Data (Privacy) Ordinance would change that, requiring companies to report any major breach quickly, and giving the watchdog the power to fine offenders a portion of their global turnover.
Cathay's actions over the hacking of its database exposed the limitations of the law, and while the Privacy Commissioner for Personal Data found it guilty last June of breaching regulations, it could only order the airline to take remedial action to improve its security system.
Under the government's new proposals, the commissioner may no longer need to issue an enforcement notice, instead it could directly impose an administrative fine based on the severity of the incident.
The government paper cited the example of the EU's General Data Protection Regulation, under which companies violating the privacy law face a maximum fine of HK$178 million, or 4 per cent of global turnover, whichever figure is higher.
Constitutional affairs minister Patrick Nip Tak-keun hinted to lawmakers at a Legislative Council meeting on Monday that the government could decided not to launch a public consultation on the amendments.
"Usually we will allow three to six months for a consultation period to collect public views, this time we will not follow the conventional way, as that is not the most effective way," Nip said.
Plans to give Hong Kong's privacy watchdog some teeth in battle against doxxing
"We reviewed the law because of a major data breach incident, and we will make a specific proposal to collect views of different stakeholders."
Privacy expert Jason Lau Wai-king, an adjunct professor of cybersecurity and privacy at Baptist University, said the proposed changes were a step in the right direction.
"Data breaches are an ongoing issue and imposing administrative fines is one of the ways to escalate information privacy to a board level responsibility," said Lau, who is also the co-chairman of the Hong Kong branch of the International Association of Privacy Professionals.
"Data is the world's new currency and we need updated regulations in order to enforce the safeguarding of personal data and maintain Hong Kong's competitiveness."
Jimmy Poon Wing-fai, the CEO of Dah Sing Insurance, who also sits on the governing board of the Hong Kong Federation of Insurers, said compliance costs would likely increase under the new rule.
"Compliance costs will almost definitely increase, and hopefully the authority will not directly copy from the EU's regulations," Poon said.
He also urged the authority to allow a transition period even if the proposal is passed.
"We should allow at least one or two years after the enactment date, we need to notify our clients and make changes on our all the documents, all these have to be made clear to comply with the proposed new rules."
Copyright (c) 2020. South China Morning Post Publishers Ltd. All rights reserved.
