New data protection legislation that will soon come into force in Europe is more stringent and wide-ranging than the law in Hong Kong and will affect some local businesses, writes Boase Cohen & Collins solicitor Allison Lee

Hong Kong, 29 March 2018: As the fallout continues from the Facebook and Cambridge Analytica controversy, it is worth remembering that the European Union is about to implement robust new data protection legislation that will have an impact on businesses worldwide, including some in Hong Kong.

The General Data Protection Regulation (GDPR) will take effect in Europe on 25 May, replacing the 1995 Data Protection Directive. The new regulation aims to safeguard consumers’ personal information by specifying how it should be used and protected by businesses. Therefore, it will have a profound effect on the methods by which businesses store and process personal data.

There are two key points to note about the new legislation. Firstly, in a significant change, it will apply worldwide. Not only will EU-based businesses be bound by it, so will organisations outside the EU that process personal data in relation to people living in the EU. Hong Kong-based businesses, therefore, need to consider how the GDPR may impact them and whether they should be reviewing their practices.

Secondly, the sanctions for non-compliance will be much tougher – a fine of up to €20 million per infringement or 4% of the company’s worldwide turnover, whichever is higher. Enforcement will be left to the relevant national authorities.

There are various major differences between the GDPR and Hong Kong's Personal Data (Privacy) Ordinance (PDPO) including, inter alia, the following:-

1. As mentioned, the GDPR will apply not only to European-based businesses but also businesses outside of Europe that process or monitor European citizens’ personal data (Article 3 of the GDPR). On the other hand, the PDPO applies only to businesses that control the collection, holding, processing or use of personal data in or from Hong Kong (Section 2 (1) of the PDPO).

2. The GDPR requires business to obtain consent from consumers for data to be processed (Article 4). On the other hand, consent is not a prerequisite for the collection of personal data under the PDPO.

3. Pursuant to the GDPR, consumers have the right to erase their personal data when the data is no longer necessary for its original purpose (Article 17). As for the PDPO, there is no general right for consumers to erase personal data but businesses should not retain data for longer than necessary.

4. The GDPR requires businesses to adopt data protection by design – that is, embedding data privacy into their services and products from the start (Article 25) and to carry out impact assessment of the envisaged processing operations on the protection of personal data (Article 35). Large-scale businesses must also appoint professionally qualified data protection officers to monitor and process consumers' sensitive information (Article 37). The PDPO does not contain such requirements.

5. The GDPR categorises sensitive personal data, such as racial or ethnic origin, political opinions and religious beliefs (Article 9) while the PDPO makes no distinction between sensitive and non-sensitive personal data.

6. The GDPR requires each business to have a defined process in place to cater for a data breach (Chapter 4). The business has to notify its consumers and the supervisory authority within 72 hours in the event of a data breach (Article 33). There is no such requirement in the PDPO.

7. Under the GDPR, companies that process personal data on behalf of businesses – the “Data Processors” – will be responsible for complying with various obligations, including ensuring security of processing and maintaining personal data. The PDPO, however, does not regulate the Data Processors. Instead, the onus is on businesses that engage Data Processors to ensure the latter comply with PDPO regulations through agreements or other methods.

8. As mentioned, the GDPR gives supervisory authorities the power to impose fines on businesses for data breach (Article 58). Hong Kong's Privacy Commissioner for Personal Data is not empowered by the PDPO to do this but may serve enforcement notices on businesses (Section 50). Contravention of the enforcement notice is an offence.

In summary, the GDPR enhances the protection of consumers' data and many businesses will have to dedicate time and resources to improving their practices in order to comply. Further, the GDPR is part of a global trend towards more robust and wide-ranging data protection.

Finally, it should be noted that Hong Kong’s PDPO came into effect in 1996 and was updated six years ago with the Personal Data (Privacy) (Amendment) Ordinance 2012, which included a particular focus on direct marketing. The office of Hong Kong’s Privacy Commissioner for Personal Data, Stephen Wong, has already conducted a comparative study between the GDPR and PDPO, one of the aims being to assess whether the PDPO should be reviewed to catch up with international data protection standards.