Cross-posted from PogoWasRight.org.
Gabriela Kennedy and Heidi Gleeson write:
The Personal Data (Privacy) Amendment Bill (the “Bill“) was introduced into the Legislative Council on 13 July 2011. The Bill is the culmination of a lengthy consultation process into the reform of the Personal Data (Privacy) Ordinance (the “Ordinance“) which commenced in 2009. The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong.
The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the “Privacy Commissioner“). The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.
Read more on Hogan Lovells Chronicle of Data Protection. The amendment, if adopted, imposes requirements on businesses to disclose intended use or sharing of information and to provide customers with the clear opportunity to opt-out at any time. One of the provisions of the amendment that I find particularly interesting would create a recognized criminal offense due to what we call insider breaches:
The Bill introduces a new offense where a person (e.g. an employee of a data user) discloses personal data of a data subject that was obtained from a data user without the data user’s consent: (i) with an intent for gain, or to cause loss to the data subject; or (ii) where the disclosure results in psychological harm to the data subject. These offenses shall attract fines of HK$1,000,000 and 5 years’ imprisonment.
An example of where these provisions may apply is where an employee takes personal data handled in the course of his/her business and sells it to a direct marketing company. The new provisions make the employee (rather than the employer) liable for the unauthorized disclosure of the personal data.
That the law would recognize psychological harm is impressive. The amendment would create certain protections or defenses to unauthorized disclosures that include disclosing data that would be newsworthy or of public interest.
What’s not in the amendment may be as significant as what is. In summarizing the amendment, Gigi Cheah and Hank Leung of Norton Rose note two provisions that had been considered but rejected for inclusion:
Personal data security breach notification
One of the proposals in the public consultation on the review of the current law was the addition of a personal data security breach notification system to require organisations to notify the affected individuals when a breach of data security leads to the leakage of personal data, so as to mitigate the potential damage to affected individuals. Mandatory notification systems are in place in many overseas jurisdictions and are generally considered to be an important aspect of protection of personal data. However no such system is incorporated in the Bill.Sensitive personal data
Another proposal considered during the public consultation was the addition of a new category of sensitive personal data, such as biometric and medical data, which would be subject to more stringent regulation so as to provide better protection for these types of data. This provision was also not included in the Bill, probably due to the additional implementation costs which would be associated with introducing such a regime.
You can read the full text of the proposed amendment on the Legislative Council web site.