The rise of emerging information-related technology and its ubiquity pose a very serious concern: how much privacy do we really have? There have been growing concerns about the pace at which governments and regulators are modernizing their legal systems and how they simply do not change fast enough to keep up with new inventions and innovations of the hyper-digital world we live in today.
As the world continues to modernize and the law lags behind technology, we very often don’t know how these new technologies are affecting or will affect our lives and most importantly, our basic human right to individual privacy.
At MWC Shanghai, Telecom Review sat down with Mr. Stephen Kai-yi Wong to talk about the role of privacy and regulators in Asia in this inter-connected society. Mr. Stephen Kai-yi Wong is a barrister the Privacy Commissioner for Personal Data in Hong Kong.
As a regulator, describe how you navigate the national cyber security landscape?
As a regulator, we play three roles. The first one is a law enforcer. We have a statutory duty to enforce the law and to oversee the compliance of the Personal Data (Privacy) Ordinance (“Ordinance”) by data users in Hong Kong, including the government. My office was established by the Ordinance to be independent from the government. In fact, a substantial amount of issues relating to compliance with the Ordinance involve public authorities and the government because they tend to hold personal data of most people in the society. We must be fair and impartial. Stakeholders include individuals as data subjects and organizations as data users in Hong Kong.
The second role we play is an educator because as you may know, privacy is not really a part of our Chinese culture. In fact, in the past, the word “privacy” didn’t even exist in the Chinese language.
The second reason for education is the economic and technological changes taking place in China. Now, as China opens up and modernizes, it has become one of the countries with the most frequent flow of data. In fact, one third of the digital data flow in the world happens in China due to its vast population and the advancement of technology in the country.
The emerging economies in Asia and the Arab world will mean we should pay attention to the use of data and the collection of it.
We are now entering the fourth industrial revolution. Now the data flow of India, the Arab world, and China covers more than half of the world’s data flow. With development in economies, we are well-connected with data and we must educate our people and organizations to increase awareness of personal data protection.
The third role we play is a facilitator. Because of the merging economic growth, especially –that in Hong Kong and China, data protection should not stand in the way of or stifle economic growth and development in information and communications technology.
I believe that we should work together with enterprises and government departments and facilitate them to comply with the Ordinance. If the commercial sector would like to develop the economy of Hong Kong by employing more IT related measures, we should try to facilitate that by issuing guidance notes. We should always try to engage the enterprises and government departments in conversation, by telling them “if you would like to do this, you will need to pay attention to all these legal requirements under the Ordinance” with a duty to protect and respect people’s privacy. That is what we have been doing in Hong Kong, by facilitating them to comply with Ordinance before they breach any provision of the Ordinance. We try to tell them what they should bear in mind.
Currently, almost every country or society is trying to smarten-up its own economies. This is how we are trying to navigate data privacy. If a person breaches the Ordinance, the person is liable to punishment. If individuals are not be aware of the importance of protecting their privacy (e.g. without leaving digital footprints, we should educate them and raise awareness.
We help enterprises in the public interest which is at the core of everything we do. We try to balance all the related freedoms (including freedom to free flow of information) and protection of personal data of a particular person. Indeed, this is exactly what the European Union is trying to do by returning the control of personal data to the individuals, putting them back in the driver’s seat. We are navigating our way through the data privacy realm in a similar way, by protecting personal data on one hand and asking the enterprises to respect the personal data of individuals without compromising economic growth on the other hand.
What are your data privacy rules? Do you create your own rules or build on existing ones?
We have a comprehensive legislation governing the entire life cycle of personal data in Hong Kong. In other words, we handle everything from data collection, retention, use, security, transparency and access. There are 6 general principles, which are commonly known as data protection principles.
Of course, our law contains other things, but in relation to the protection of personal data we have adopted these 6 principles. These 6 principles were drafted by making reference to the guidelines of the Organization for Economic Co-operation and Development (“OECD”) and the 1995 EU Data Protection Directive which has been replaced by the EU General Data Protection Regulation (“GDPR”) last year. We also referenced international standards when we drafted the Ordinance. The Ordinance was enacted by our legislature in Hong Kong in 1995 and came into force in 1996. We have a relatively long history of protecting personal data in Hong Kong.
Since 1996, we have been actively advocating for the privacy rights of individuals and educating the people and organizations of Hong Kong about these rights. What [is important ? ] is that privacy is a fundamental human right in Hong Kong This right is protected not only by one specific piece of legislation (namely, the Personal Data (Privacy) Ordinance) but also under other legal instruments including the Hong Kong Bill of Rights ordinance that safeguards human rights.
Section 8 of the Hong Kong Bill of Rights Ordinance mirrors the UN International Covenant on Civil and Political Rights (“ICCPR”) 1976. Also, this fundamental human right as well as other rights of freedom are protected under the Basic Law of Hong Kong Special Administrative Region of the People’s Republic of China. Since 1997, the Mainland China has resumed the exercise of sovereignty over Hong Kong. Hong Kong people still enjoy all the freedoms and human rights that existed before the handover.
Hong Kong adopts a common law legal system on the basis of that adopted in the United Kingdom. Strong protection of rights and interests in Hong Kong is provided not only by statutes, but also by decisions of courts.
What are your biggest concerns as a regulator in Hong Kong and what are some of the challenges?
You can sort of see a trend in terms of threats and challenges. Twenty years ago, people would ask regulators how they could protect their name and identity. But now it has changed, people will ask you what you should do when a company loses your personal data.
Now, peoples’ concerns are more centered around the cybersecurity aspect of their data since everything is digital now. The fact that personal data is not tangible (like bank notes or physical deeds) does not absolve a company from its failure to keep safe the data. The company must try its very best to show that the data collected from a person is kept safe, and the data is not abused, misused or disclosed without authority. So what is the cybersecurity standard? It’s very difficult to set it.
Hackers are always ahead of individuals, organizations and authorities. The Ordinance requires only all reasonably practical steps to be taken to ensure the security of personal data but still the number of data breaches is rising year after year around the world. It is now up to 6500 data breaches in the world per year. In Hong Kong, over the last 5 years or so, around 300 data breaches have taken place.
In fact, providing a notification of a data breach is not compulsory in Hong Kong. For example, if a company is aware that the personal data of its customer has been stolen, the company is not required under the Ordinance to inform us. In the past, there were concerns that keeping up with the standard of data security impose a heavy financial burden on SMEs. Now, the situation has changed and we must strike the balance between the protection of the individual’s right and economic development. We feel that because of an increased number of data breaches, it might be opportune for us to ask organizations to file notifications with us, the regulator and the people affected, in good time. We still have the challenge of convincing and assisting SMEs because it could be very costly for them to do so.
Another challenge is helping organizations comply with legal requirements. Personally, I believe that Organizations have legal obligations to comply with the legal requirements. Innocence of law is not a defense. Organizations are now expected to take all the necessary steps to ensure the protection of personal data and as a regulator, we should provide guidance on how to comply with relevant legal requirements. Data doesn’t belong to the organizations, it belongs to the individuals themselves. We have to do something to help and engage organizations.
Simply asking organizations and individuals to comply with legal requirements is not good enough, even though the sanctions and punishment are deterrent enough. However, in the case of tech giants, we have seen that no matter how much a regulator fine them, they are still breaching legal requirements and making a lot of money. In Hong Kong especially, the Ordinance is not deterrent enough. It only imposes a minimum fine on those offending the law.
Back in 2013, we suggested developing management accountability, data ethics, data governance and data stewardship. We conducted surveys and issued reports based on these suggestions last year. In Brussels, at the International Conference on Data Protection, data protection and privacy commissioners around the world gave a declaration on data ethics, supporting the adoption of ethical standards for data protection. Indeed, we are very lucky as Hong Kong was one of the co-chairs of a permanent working group in Europe. Ethical standards complement the Ordinance and developing ethical standards is what we have been trying to do.
Hopefully, by adopting a carrot and stick approach (i.e. with enforcement, education, facilitation being put in place), it will enable us to help enterprises and other stakeholders to comply with the Ordinance, which would help increase consumer trust in enterprises and in turn, establish a better reputation for these enterprises. At the end of the day, we should be able to cultivate a privacy culture comprising not only the Ordinance but also ethics. Under the privacy culture, we will have an effective regulation on personal data protection].
I think this is the way forward, not only in Hong Kong, but also across the globe. We see the EU has changed the law and published guidelines on data ethics. Such practices of the EU are entirely in line with the development of a better and more ethical global privacy landscape.