Stephen Wong Kai-yi, the head of Hong Kong’s data privacy watchdog, stated recently that he would review a 22-year-old data protection law following a series of “major data leaks” in the city that affected more than half a million people.

Apart from a recent hack into an inactive database owned by Hong Kong Broadband Network (HKBN) that held information on 380,000 customers, a number of cyberattacks also targeted databases belonging to travel agencies, involving some 220,000 clients. Private information such as credit card details, home addresses, names and ID card numbers could have been compromised in the hacks.

Speaking on an online programme hosted by former lawmaker Emily Lau Wai-hing, Privacy Commissioner for Personal Data Stephen Wong Kai-yi said it was time to review the Personal Data (Privacy) Ordinance, which came into force in 1996. The legislation was last updated in 2012, but with a focus only on direct marketing.

“The European Union has a new regulation next month, we also see some major data leaks in Hong Kong and [on an] international level … I think it is time,” Wong said.  The commissioner said his office would study if enough protection was provided to citizens, and also look at global trends.  Wong said the city’s ordinance was based on the EU’s Data Protection Directive, due to be replaced by the General Data Protection Regulation next month.

The commissioner also admitted his office’s enforcement power was lower than other regulatory bodies in other countries.  “Lawmakers think our enforcement power has to be increased. I see their point,” Wong said.

According to current regulations, a company will only be prosecuted if it refuses to take corrective measures to ensure the data privacy of its clients.  Violation of the Personal Data (Privacy) Ordinance can lead to a fine of HK$50,000 (US$6,375) and imprisonment for up to two years.  Apart from upping the penalty, which Wong said the public had called for, it was also important to teach companies to be ethical and respectful of clients’ data privacy, he said.

HKBN recently announced it would purge the data of 900,000 former customers and reduce its information retention period from seven years to six months in the wake of a most recent hack. Wong said he was satisfied with the remedial actions.

Hong Kong privacy watchdog blasts electoral office for massive data breach

Wong also said the law “doesn’t say how long you can or you should keep personal data”, but added companies “should not retain or keep personal data longer than necessary”.  A spokesman from the Office of the Communications Authority did not say if HKBN’s new policy was in line with regulations, only that the company should ensure that it was.

Information technology sector lawmaker Charles Mok agreed the privacy law should be reviewed by increasing the penalty and punishing first-time – not just repeat – offenders.   A spokeswoman for the Privacy Commissioner for Personal Data said it was important for companies to be transparent about their personal data policies and practices. “Good governance dictates that organisations take heed of the increasing public concern that consumers’ personal data privacy should be properly protected,” she said.  She reminded consumers to read privacy policy statements before signing up for services.

A spokesman for the HKT Group, which owns internet service provider Netvigator, said customer data the group collects is used and retained in accordance with the ordinance and “applicable laws and regulations relating to data privacy”.  The spokesman, however, refused to disclose how long it kept customer records.

Hong Kong firms urged to sharpen focus on cybersecurity

A spokesman for internet service provider i-CABLE said it kept data of inactive customers for seven years. “The data of individual customers will be deleted upon request,” he said, adding that the company reviews and updates its data protection policy on a regular basis.  The Inland Revenue Department said business records should be kept by companies for no less than seven years, including invoices, receipts, cash register tapes, banking records and cheque butts.

HKBN earlier admitted that it had mistakenly thought the seven-year rule for business records also extended to customer information.

Source: South China Morning Post