Stephen Kai-yi Wong completed his tenure as Privacy Commissioner for Personal Data, Hong Kong, China (Privacy Commissioner) on 3 August this year. CSj talks to him about the changes he has seen in the privacy protection landscape in Hong Kong over his five-year term and about the role of governance professionals in upholding data ethics and accountability.

Can we start by discussing the proposed amendments to the Personal Data (Privacy) Ordinance (PDPO)?

‘Yes, that will be a good place to start. The data breaches in the travel industry, in particular the airlines and hotel chains, were alarming signals to us that the law needs to be changed. There is a clear need for the industry to take practical steps to ensure better data security and our proposal is to introduce a mandatory data breach notification requirement. Data users would be required to notify the office of the Privacy Commissioner for Personal Data (PCPD) and relevant data subjects of data breach incidents reaching a threshold of “real risk of significant harm”.

Equally alarming have been the criminal doxxing cases we have seen on both sides of the political divide in Hong Kong. Currently Section 64(2) of the PDPO makes it a criminal offence to disclose any personal data of a data subject obtained without the consent of the data user and where such disclosure causes psychological harm to the data subject, but we believe that there might be a clearer and more effective way to deal with doxxing. The police have made arrests for activities of this sort based on the provisions of other pieces of legislation. I believe, in terms of personal data, that there are good reasons to have specifically designed provisions in the PDPO on this.

More generally, the PDPO was enacted back in 1995 and has only once been amended – that was in 2012 when the offence of direct marketing was introduced. But many different offences start with abuses of personal data, and I think there is a need to do better in terms of updating the legislation.’

How soon do you think any amendments to the PDPO might take effect?

‘We submitted our recommendations to the Constitutional and Mainland Affairs Bureau in our review report in June last year. They accepted that there were good reasons to amend the existing law and six proposed directions of amendment were listed for consideration in the Panel on Constitutional Affairs of the Legislative Council (LegCo). In addition to the mandatory data breach notification requirement and new provisions to regulate criminal doxxing mentioned above, the proposals also include provisions to increase the PCPD’s powers, such as the imposition of administrative fines. I believe we need these because we have been known as a toothless tiger. But it is really difficult for us or the government to make an educated guess about when any draft bill, if at all, might be presented to LegCo. It’s a matter of priority and the bill is waiting along with a number of other pieces of legislation that have been stalled.’

Do you think that there is support for privacy protection across the political divide in Hong Kong?

‘People, whichever camp they belong to, have been using personal data as a weapon. Posting the personal data of individuals, sometimes together with that of their family members, amounts in my view to intimidation. As I mentioned, Section 64(2) of the PDPO makes this type of doxxing a criminal offence, but so far we haven’t seen many prosecution cases based on this provision – despite the fact that we have received more than 5,000 complaints and, of those, more than 1,400 cases have been referred to the police for further investigation. Why do we have to refer the cases to the police? Because we don’t have the powers they have to go to the relevant premises to search for and seize evidence. Neither do we have the power to obtain statements or to prosecute.’

You made the point earlier that many different offences start with the abuse of personal data – do you think this will help make the case that the PCPD needs to have greater powers?

‘Let me tell you a story. On the first day I assumed duty back in 2015, I paid an official visit to the Commissioner of Police and I made the same point – that most fraud cases start with an abuse of personal data. Doxxing would be an obvious example of this, but there are many other cases we have seen where abuse of personal data is involved. Generally, however, when the police prefer charges relating to a criminal offence, which might have stemmed from a personal data–related offence, they leave the personal data offence aside. This is probably because personal data offences were often regarded as more trivial, less tangible and not really criminal.

So I recommended to the Commissioner of Police that police officers should be reminded of the relevant personal data offences when they prepare charges. I offered the assistance of the PCPD to provide advice and training on the provisions of the PDPO. That was five years ago and fortunately the attitude has changed now – the police often issue warnings that offences are the same whether they are committed online or offline. We have also built up a consensus that the two enforcement authorities – the PCPD and the police – should dovetail our approaches and work together appropriately. The Hong Kong Monetary Authority (HKMA) has also joined the effort, so we are very happy to be working closely with law enforcement and regulatory authorities in Hong Kong to promote better due diligence and vigilance relating to the use of personal data.’

Are mindsets changing on privacy issues in Hong Kong?

‘We did a survey recently – the findings will be published shortly – which shows that mindsets are changing. The survey, conducted by The University of Hong Kong, asked 1,200 Hong Kong citizens for their opinions on many of the issues we are discussing. The survey indicates high awareness levels of these issues and support for the proposed amendments to the PDPO.

So I believe that over the last five years people have become more acutely aware of personal data privacy issues, but how far enterprises understand how to exercise ethical data governance in the course of business is another question. We have been trying to educate enterprises about many different aspects of personal data protection. For example, exercising due diligence and vigilance in respect of the personal data of customers is not only important in Hong Kong. The European Union (EU)’s General Data Protection Regulation (GDPR) has extraterritorial effect over enterprises in Hong Kong doing business with, or offering services to, individuals in the EU. Similar legislation applies to California and the Mainland.

So one of the major tasks that I have endeavoured to get involved with is to engage with enterprises to help minimise the damage caused by breaches of the PDPO. I haven’t used a “name and shame” policy. When there is a data breach, we call to offer our help to mitigate the damage that might have been caused. It is not only the enterprises’ interests that we have in mind, but the interests of the data subjects – the Cathay Pacific data breach, for example, involved 9.4 million passengers.

When I started as Privacy Commissioner and was introduced to business executives at functions, they would often look at me as if I was Dracula about to suck their blood, but I think this has changed. I and my team are often asked to give talks to trade associations, chambers of commerce, individual enterprises and government departments about compliance and data governance issues, and I think that’s very encouraging.’

As the regulator for personal data privacy, isn’t there an advantage to being feared?

‘We have adopted a policy of using both carrot and stick. When we receive complaints and initiate compliance investigations, we do want people to feel a certain kind of fear or respect for our authority to ensure everyone acts strictly in accordance with the law, but my mission number one, as set out very clearly in our annual reports, is fair enforcement. Our enforcement must be fair, otherwise we will lose the confidence and trust of those we are regulating.

Moreover, there is very little point for me to take someone to court and fine them HK$30,000 if, when they get back to their office, they are going to do it all again. The message that I’ve been trying to convey is that this is not just about compliance and sanctions. Abuses of personal data are not only wrong in law, but also wrong in terms of ethics. Data governance breaches will lose you the trust and confidence of your clients and customers, as well as your reputation.’

Is this a message you would like readers of CSj, as governance professionals, to pay particular attention to?

‘Absolutely. I would like to make it very clear for your audience that they need to convince themselves first and then their bosses that data governance is not as simple an issue as it looks. It is a very serious issue and it should be an issue frequently tabled as one of the agenda items at board meetings. This is what we mean by accountability. To ensure accountability for personal data privacy is already a legal requirement of the EU’s GDPR, for example, and a statutory reporting obligation.’

Over the five years of your term, have you seen rising awareness of the need for board accountability of data privacy issues among Hong Kong companies?

‘Yes I have and this is very important when the deterrent effect of a failure to comply with law is so low. Even when, for example, British Airways or Cathay Pacific has received fines up to the maximum level, does it really hurt? Moreover, data privacy legislation and regulation is still quite fragmented, especially in Asia. We haven’t yet been able to achieve a unification of standards or regulatory requirements. Even within jurisdictions in Asia, the laws relating to personal data privacy may still be very fragmented, with different laws relating to different industries for example. So that is another reason why we need to promote the principles of data stewardship, data governance and data ethics to complement the requirements of the law.

We started advocating accountability in 2014 and when we hosted the Global Privacy Assembly (formerly known as the International Conference of Data Protection and Privacy Commissioners) conference in Hong Kong in 2017, we made accountability one of the main themes. I think we have managed to put across the message that data ethics and accountability need to complement, but not replace, the law.’

You have forged closer links with privacy regulators outside Hong Kong and with global privacy organisations – would you like part of your legacy to be this closer cooperation globally and the promotion of more unified standards?

‘Yes, this is something I have been trying hard to achieve. One of the irreplaceable attributes of Hong Kong is that we are an international centre for many things – we are an international financial centre, an international logistics hub, and so on, but many people forget that we are also an international data hub and information centre. We are well placed to develop Hong Kong as an international data hub – we have free flow of information, which is not the case 25 kilometres away. We also have good protections for freedom of expression, assembly and privacy under global covenants such as the International Covenant on Civil and Political Rights and guaranteed under the Basic Law. We need to protect our international status and the rule of law in Hong Kong. The “rule of law” is different from “rule by law” and rests on two cardinal principles – namely that no one is above the law and that the judiciary maintains its independence.’

Now that you will be resuming your private practice as a barrister, do you think privacy cases will be a large part of your work?

‘Actually no. I intend to specialise in three areas: the statutory obligations of companies, personal freedoms and rights, and the regulatory authorities’ limits of power.’

Stephen Kai-yi Wong was interviewed by CSj Editor Kieran Colvert.

Stephen Kai-yi Wong’s term as Privacy Commissioner ended on 3 August 2020. Ada Chung Lai-ling JP, previously the Registrar of Companies of the Companies Registry, took up the Privacy Commissioner role with effect from 4 September 2020.