In the emerging data privacy landscape in Hong Kong, Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, argues that a consideration of ethics is just as important as adherence to the law.

Thanks for giving us this interview. The landscape for data privacy in Hong Kong and globally has been changing rapidly in recent years, do you think there is greater awareness of the importance of respecting data privacy here in Hong Kong?

'Locally, people are becoming more aware of the issue of personal data privacy. We talk about personal data and privacy all the time, and sometimes inappropriately. We should bear in mind that there are times when you are required to disclose personal data. We had an incident in Hong Kong recently where students were putting up posters (without authority or going through the proper procedure in their campus) making comments on officials in the government. The student body said they couldn't release any details about the students involved in order to protect their privacy. Now, while it is important for us as regulators to protect the individual's personal data privacy, it is equally important for us to protect the interests of the public. There are exemptions in the Personal Data (Privacy) Ordinance (the Privacy Ordinance), including for situations where there is prevention or investigation of a crime. Privacy protection is not intended to be a shelter for wrongdoers. So there has to be a balancing exercise.'

Incidents such as the one you mention have put privacy issues into the public spotlight – is it an interesting time to be Hong Kong's Privacy Commissioner for Personal Data?

'I do have a very interesting job and I have to be careful to always make a judgement about how to uphold the public interest. An issue that has come up recently, for example, is the use of drones. We have received complaints about drones filming from outside the balconies of people's homes. If the drone operator intends to show images where people's faces can be seen, a face being considered to be a personal identifier, there is clearly a high risk of infringing the Privacy Ordinance. However, if the drone is operated by a media organisation, there may be a public interest exemption. As you probably know, the Privacy Ordinance has an exemption for news activities. Freedom of the press and freedom of expression are crucial parts of freedoms that we enjoy under the Basic Law. So whether it is a violation of the Privacy Ordinance or not depends on all the circumstances. The government will soon commence consultation on the use of drones. It appears that the majority of views so far is that there should be some sort of regulation, perhaps via a registration system for drone operators.' The use of drones was not a problem back when the Privacy Ordinance was drafted – will technological change always be one step ahead of the privacy regime in Hong Kong? 'The advances in information and communications technology (ICT) – including artificial intelligence, machine learning, and the "internet of things" – will make life more difficult from a privacy point of view, but I think we should bear in mind that our legislation in Hong Kong is principle-based and technology-neutral. Our law and regulations were designed that way because it is hard to stay ahead of ICT development. The risk of this approach, though, is that in certain circumstances the rules may be out of touch with reality. We focused on high-level principles but who would have imagined when the Privacy Ordinance was drafted that a machine could learn. However, I would like to come back to your earlier question about the level of awareness of privacy issues in Hong Kong. We have been conducting various surveys and opinion polls looking at the attitude of the younger generation to privacy issues. The surveys show that 98% of them have a cell phone but half of them don't even realise that there are restrictions on the use of personal data. In other words, they post messages and images of other people whenever they like. So that's a very serious problem. The younger generation seems to be unaware of how important it is to be vigilant – not only about respecting the personal data of others but also about protecting their own personal data. A few months ago, “Fingopay” was put on trial in the UK. This enables shoppers to make payments via a scan of their finger. I saw a report where reporters asked a girl who had just used this service whether she was concerned about privacy risks. She immediately said she was not bothered. That seems to be the general attitude among the younger generation in Hong Kong too, as evidenced by similar responses when “Pokémon Go” was launched.'

Nevertheless, the growing number of scandals involving loss of customers' personal data or abuse of marketing practices could very quickly change attitudes among the younger generation – this surely is a major risk for data users?

'Of course, organisations collecting personal data need to maintain trust. We frequently hear from organisations, especially small and medium-sized enterprises (SMEs), that they can't afford to consider privacy compliance. Our response is to point out that their reputation and the trust of the public is one of their most important intangible assets and they need to maintain that trust. As a regulator, I believe we should help organisations to keep the respect and the trust of their data subjects (that is, the individual customers or clients), that's why we have just released our first guidelines on data protection specifically for SMEs.'

Do you think data users should be aware of global ethical best practice in addition to the law and regulations in Hong Kong?

'Absolutely. We expect business organisations to act according to their conscience, but this can be open to many different interpretations and that's where international standards are so important. I was posted to the United Nations (UN) in 1991 to work on human rights. When I came back I knew more about human rights, but I also learned how individual state parties would defend their human rights records and standards with reference to their different economic and historical backgrounds and cultures. Some may argue that human rights should be universal, but in reality there will always be some discrepancies among different state parties. In Asia, because of its historical and cultural background, privacy may not be treated the same as it is in Europe. I remember at one conference I attended the delegate from the Philippines said that the word "privacy" did not exist in tagalog. One of the ethical standards we try to promote, not only in Hong Kong but also around the globe, is to give meaningful choices to data owners. Nowadays if you download an app, you will be asked whether you agree or accept the terms and conditions of use. I can tell you, even the Privacy Commissioner doesn't read those terms, like everyone else, I simply scroll down to the end and click "I agree". Failing to agree will mean you can't download the app. So regulators around the globe have been asking major service providers such as Facebook, Google and Microsoft to give individuals real choices. This could be offering the possibility to opt out of classified categories, for example, receiving advertisements.'

Can Hong Kong assist the Mainland in developing data privacy standards?

'When I was interviewed after taking up the Privacy Commissioner post in August 2015, I was asked whether I would be involved in developing the privacy landscape in Mainland China. Initially, we had very little contact or exchange with the Mainland authorities because we didn't have a counterpart there. I think it makes sense to work together – after all, in terms of ICT development, China is the biggest market in the world. But because of the lack of a single comprehensive piece of legislation in relation to data protection and the lack of a regulatory body I can't do anything unless I am invited. I have always been willing to explain what our system is all about. In fact, a few months after I started work I received invitations from the Mainland – first from the commercial sector, mainly the banks, and then from academia.'

What sort of reception do you get when you talk about personal data privacy in the Mainland?

'They are very, very serious about this now – you cannot duck the issue when you have 1.4 billion people. In the Mainland many people have at least two phones and many cities are now cashless. We know from social media that people in the Mainland are aware of the issues. They are also interested to learn about how we handle data privacy issues in Hong Kong.'

The Hong Kong government is not exempt from the Privacy Ordinance, so you are one of the few officials who have a role monitoring government – can you talk about this aspect of your role?

'Yes. When the Privacy Ordinance was enacted in 1995, the main consideration of the Legislative Council was to make sure that individuals’ basic privacy rights would be well protected after the reunification in 1997. So, unlike many other jurisdictions in this part of the world, my office also regulates the behaviour of the government. In fact most of our work relates to the behaviour of the government – they are our largest client. My role is to make sure that, as one of my stakeholders, the government complies with the requirements of the Privacy Ordinance.'

The General Data Protection Regulation (GDPR) in the EU will take effect on 25 May this year and there are concerns in Hong Kong about the compliance risks for businesses here since the regulation has extraterritorial scope. What impact do you think the GDPR is going to have in Hong Kong?

'We are aware that many people are concerned about being caught under this new regulation, especially the SMEs in Hong Kong because they have fewer resources to ensure compliance and obtain legal advice. We have done a comparative study between the new EU regulation and our existing regulation and we have identified at least nine areas that we need to look at (see “GDPR impact assessment” box text). We will be publishing new guidelines soon on this issue.'

Would you like to see Hong Kong's Privacy Ordinance revised to match the GDPR?

'We need to consider whether our relevant provisions in Hong Kong should be revised, but, as I mentioned earlier, we also need to maintain a balance. The Privacy Ordinance not only protects the rights of individuals but also facilitates economic and ICT development in Hong Kong – we need to balance the interests of individuals against the interests of the public, without compromising trade and innovation. Our role is not only to enforce the Privacy Ordinance but also to promote better awareness of the importance of respecting privacy. We have allocated more resources over the last two years to education and publicity. This includes organising seminars and talks; engaging organisations by going to their offices and talking to their staff; producing publicity materials online and offline; and issuing updates and publications in response to privacy issues. Moreover, we are always ready to issue a statement when relevant issues arise in the community. For example, I just issued a statement about whether people should be expected to draw the curtains when in a hotel room to protect their privacy. You may have seen that images were broadcast on the internet of a man and a woman engaging in intimate activities in a hotel room in Hong Kong. Some have asked why they didn't draw the curtain but I think that is irrelevant – they had the legitimate expectation that in a hotel room their privacy would be respected. So, no matter whether you stand a chance of being caught by the Privacy Ordinance or not, when people are in a private space, their privacy should be legitimately and duly respected. This principle has been backed up by the Administrative Appeals Board in previous cases.'

Could you tell us about your own background and training?

'I was born in Hong Kong in the 1950s. My parents, like many people just after the establishment of the People’s Republic of China (PRC) in 1949, crossed the border into Hong Kong and set up home here. One of the values I was brought up with was the importance of the rule of law. At that time half the population was living in illegal structures and disputes were common – there were quarrels all the time about the use of public taps and toilets for example – but at the end of the day the attitude was that in Hong Kong we abide by the law. When I went to university I had the same mindset – I knew the importance of the law to the community, especially at the grassroots level. After that I chose to join the government, partly because in those days the government offered a higher salary. I had my parents to look after, to help them move out of the squatter area. I spent 17 years in the colonial government and 17 years in the Government of the Hong Kong SAR – 1997 was my half-way mark. I worked on the Hong Kong Bill of Rights Ordinance which was enacted in 1991. After completing that legislative exercise I was sent to work with the UN Human Rights Committee. I reviewed the reports provided by various state parties, summarised their main points and drafted questions for Committee members to raise. I was also involved in the drafting of the final reports which were submitted to the UN General Assembly. When I came back to Hong Kong in 1992, I was posted to the Public Prosecutions team dealing with human rights. When human rights issues cropped up in the courts, the prosecuting counsel representing the government would call me and I would make submissions to the court. In the lead up to 1997, I was given the opportunity to be involved in handover issues. At that time there were very few lawyers of Chinese ethnic origin within the government, so I worked on many China-related issues. From 1996 to 2012, I became Deputy Solicitor-General and Secretary of the Hong Kong Law Reform Commission, responsible for human rights, cross-boundary legal affairs, the Basic Law, legal policies and law reform. So that sums up my work profile. I had a very unique training in human rights issues, unique because no else took that same path. Now you can study human rights at university, in those days that was not an option.' Stephen Wong was interviewed by Mohan Datwani FCIS FCS(PE), Institute Senior Director and Head of Technical & Research; and Kieran Colvert, Editor, CSj. The guidance note 'Data Protection & Business Facilitation – Guiding Principles for Small and Medium Enterprises' is available on the Privacy Commissioner for Personal Data website: www.pcpd.org.hk.  

SIDEBAR: GDPR impact assessment

How will the EU's new General Data Protection Regulation (GDPR) affect you? The Office of the Privacy Commissioner for Personal Data (PCPD) highlights nine areas where businesses in Hong Kong will need to give particular consideration once the GDPR has been implemented on 25 May 2018.

1. Extra-territorial application. If a Hong Kong company offers goods or services to EU residents, or monitors the behaviours of EU residents, say by online tracking, it has to comply with the GDPR.
2. Accountability. The GDPR requires a data controller (for example a company) to implement policy and measures (such as privacy by design and by default, data protection impact assessment, and appointment of data protection officers) to ensure compliance with the law. In Hong Kong, ‘accountability’ is not a legal requirement, but the PCPD encourages organisations to implement a privacy management programme.
3. Mandatory breach notification. Under the GDPR, a data user has to notify the relevant data protection authority and (for high-risk incidents) the affected individuals in the event of a data breach, unless an exception applies (for example measures taken to reduce the risk). In Hong Kong, data breach notification is voluntary.
4. Sensitive personal data. The GDPR imposes stricter conditions on the processing of sensitive personal data, for example a business cannot process sensitive personal data on the grounds of legitimate interest. In Hong Kong, we do not have a distinction between sensitive and non-sensitive personal data.
5. Consent. Consent is one of the six legal bases for processing personal data under the GDPR. Consent has to be freely given, specific and informed, and an unambiguous indication of a data subject’s wish. In Hong Kong, consent is not required for collection of personal data. However, if an organisation wants to change the use of personal data, or use the personal data in direct marketing, data subjects’ consent is needed.
6. Data processor obligations. The GDPR imposes direct obligations on data processors, such as maintaining records of processing, ensuring security of processing, reporting data breaches and designating data protection officers.
7. New or enhanced rights of data subjects (including profiling). The GDPR provides new and enhanced rights to data subjects, such as right to be forgotten; right to data portability; right to object to processing (including profiling); etc.
8. Certification mechanism. The GDPR recognises privacy seals and establishes a certification mechanism for demonstrating compliance by data controllers and processors. Certification is recognised by the GDPR as one of the legal bases for cross-border data transfer.
9. Sanctions. The GDPR empowers data protection authorities to impose administrative fines of up to €20 million or 4% of annual worldwide turnover, whichever is higher.