Privacy data breaches incidents reported to the Office of the Privacy Commissioner for Personal Data (“Commissioner”) hit record high in 2018 and with an increase of 80% in the last five years. The use of mobile phones and social media platforms cause breaches to be very widespread. In the case of Cathay Pacific Airways, 9.4 million passengers data were hacked and in the case of TransUnion 5.4 million consumers’ information were accessed. In light of the above, proper handling of data breaches is particularly important to businesses not only to minimise possible legal consequences but also to limit potential damage to companies’ reputation.
We set out below (i) what a data breach is (ii) what companies should do in case of data breaches under the existing legal framework and (iii) possible actions that the Commissioner may take.
A data breach is generally taken to be a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised or accidental access, processing, erasure, loss or use. Personal data means any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.
Examples of data breach are loss of personal data kept in storage such as laptop computers and portable hard disk, or database containing personal data being hacked or accessed by outsiders without authorisation.
Existing Legal Framework
A data breach may amount to a contravention of Data Protection Principle 4 (“DPP4”) under Schedule 1 of the Personal Data (Privacy) Ordinance (Cap 486 of the laws of Hong Kong) (“Ordinance”).
DDP4(1) provides that data user (i.e. those who control the collection, use and processing of personal data) shall take all reasonably practicable steps to ensure that personal data held by it is protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to the kind of the data and the harm that could result if any of those things should occur.
Data users are also held responsible for any act done by the data processers (i.e. persons who process personal data on behalf of the data users) whether within or outside Hong Kong. Under DPP4(2), the data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of data transferred to the data processor for processing.
Measures to be taken in case of data breach
There is currently no mandatory requirement under the Ordinance for data users to notify the affected data subjects, the Commissioner or any other persons of any data breaches. However, the Commissioner encourages notification of data breaches as a matter of best practice under the “Guidance on Data Breach Handling and the Giving of Breach Notifications” (second revision in January 2019) (“Guidance”). The Guidance is non-binding.
Under the Guidance, where data subjects can be identified and a real risk of harm is reasonably foreseeable in a data breach, the data user should consider notifying the data subjects affected, the relevant parties and the regulators. In reaching the decision of whether to issue data breach notification, the consequences for failing to give notification should be considered.
The timing in giving data breach notification is also critical. The delay in giving such notification was in fact the much controversial issue in the Cathay Pacific case. In that case, Cathay Pacific delayed notification for seven months after the data leakage was discovered. Under the Guidance, once a company decides to give data breach notification after having assessed the situation and the impact of the breach, the notification should be made as soon as practicable after the detection of the data breach, except where law enforcement agencies have, for investigative purposes, made a request for a delay.
On top of giving data breach notification, other remedial measures recommended in the Guidance include (1) gathering essential information relating to the breach immediately; (2) contacting the interested parties and adopting measures to contain the breach; and (3) assessing the risk of harm.
What happens after issuance of a data breach notification ?
1. Upon receipt of a data breach notification, the Commissioner will initiate a compliance check under section 8 of the Ordinance for the purposes of finding facts, identifying root cause and evaluating proposed actions or actions taken.
2. The Commissioner may also give advice and provide assistance to ensure timely remedial steps to be taken to contain any further possible damage to persons affected.
3. Should the compliance check results in any finding or prima facie evidence of contravention of the Ordinance, the Commissioner will carry out a compliance investigation under section 38(b) of the Ordinance. A compliance investigation may also be carried out for incidents involving significant number of data subjects, sensitive personal data or of great public interests or being widely reported.
4. Upon completion of which the Commissioner will inform the data users the results of the investigation (section 47 of the Ordinance). If any contravention of the Ordinance is found, the Commissioner may serve an enforcement notice (“Enforcement Notice”) on the data users to remedy and, if appropriate, prevent any recurrence of the contravention (section 50 of the Ordinance).
A compliance investigation may also be initiated whether or not the Commissioner receives a data breach notification. Under section 38 of the Ordinance, the Commissioner may carry out a compliance investigation if he receives a complaint, or has reasonable grounds to believe that there may be a contravention of the Ordinance.
Potential legal consequences
Although currently a breach of any of the Data Protection Principle under the Ordinance does not in itself constitute an offence, it may amount to an offence under the Ordinance if a data user fails to comply with the Enforcement Notice or commits a new breach on the same facts. Nonetheless, the Commissioner is currently reviewing and proposing reforms in the Ordinance so as to get more teeth for the protection of personal data.
Further, an individual who suffers damage by reason of contravention of any requirement under the Ordinance by a data user, and that breach relates (whether in whole or in part) to personal data of that individual (data subject), he shall be entitled to compensation from the data user (section 66 of the Ordinance).
While the legal consequences of a data leak might not seem to be direct or severe at the moment, companies should monitor the latest development of the proposed reform of the Ordinance.
Please feel free to contact our IP & IT team if you have any question regarding data privacy compliance, or intellectual property or technology laws generally.