This fall, at the end of September, the International Conference of Privacy and Data Protection Commissioners will kick off in Hong Kong, bringing the world’s regulators together for the 39th time. It’s no coincidence that Hong Kong will play host. In Privacy Commissioner for Personal Data Stephen Wong, Hong Kong has a motivated and active privacy enforcer looking to be a leader on the global stage.
Of course, Hong Kong has long been a leader in the Asia-Pacific region, with one of the oldest privacy frameworks in the region. The PCPD, as the regulator is known, celebrated its 20th anniversary last year and has been increasingly active as of late, holding workshops, issuing statements, and increasingly producing guidance for organizations looking to operate in Hong Kong.
In 2016, alone, the PCPD conducted 255 professional workshops, with 25,800 participants from 420 organizations. That activity, plus 21 publications, and 18 large-scale promotional events for the general public are extremely out of the ordinary for a privacy commissioner’s office. They even put together a six-episode TV series! This is an organization that’s laying the groundwork for no-excuses enforcement. Every effort has been made to let you know how privacy should be done. Violate the privacy ordinance at your own risk.
One specific thing to remember about Hong Kong’s privacy regime is that violating privacy rules can be a criminal offense in Hong Kong, and that the PCPD actually refers cases to the police for prosecution. In 2016, three separate people were convicted of privacy-related crimes, all for direct marketing without consent, basically, resulting in fines and community service.
Quite simply, it’s not just your company that could suffer, but perhaps you, personally.
This is relatively rare, however, and the Hong Kong commissioner’s office is known for being consultative and available. Hong Kong, like Singapore, prides itself on being a hub of global business, and Commissioner Wong has openly said that it’s important to balance privacy enforcement with making sure regulations aren’t too onerous for businesses to comply with.
So, what’s likely to actually land you in hot water? For one, standing out from the crowd. Wong’s office has appealed to corporations to “self-regulate” by providing transparent privacy statements and providing privacy settings that users can adjust. As long as you do what your privacy statement says you’re going to do with personal data, and provide meaningful opt-outs, you’ll be mostly in the clear. Direct marketing has been most significantly in the Commissioner’s crosshairs, so it’s also important that you crosscheck any lists you might buy to make sure you’ve got consent to text or even direct mail.
Hong Kong residents do not like spam of any kind and they’re likely to report it if they see it. More than 20 percent of complaints to the Commissioner stemmed from direct marketing, and all of the prosecutions.
There is also growing awareness of Hong Kong’s privacy ordinance, now that its new format has been in place since 2013. A full 45 percent of complaints to the Commissioner involved use of personal data for which companies did not have consent. Especially in the financial sector, Hong Kong consumers are savvy.
It might also be instructive to look at the PCPD’s areas of focus from 2016:
- CCTV. Yes, they still call it that, even though not many cameras run on that old coaxial cable anymore. If you’re putting a camera somewhere, make sure you provide notice, have a policy for who can view the footage, and keep security tight. If footage you captured gets out into the light of day, that’s a serious breach in Hong Kong.
- Mobile apps. Along with many other global privacy commissioners, the PCPD has expressed specific concerns about the personal nature of the data collected on mobile devices. Specifically, make sure you’re transparent about collecting location data or accessing things like a device’s camera or microphone. Make sure you use just-in-time notices, not simply a line or two buried in the app’s privacy notice. That won’t cut it.
- Internet of Things. Similar to mobile apps, the IoT devices, like fitness trackers or virtual assistants, have access to vast amounts of personal data. The Commissioner has expressed concern about how manufacturers can provide notice in areas where there is often no screen or other way for users to read privacy notices in a traditional way. Be overly transparent if there’s any question about whether users might not expect certain data to be collected or used.
All of that said, the PCPD issues more warnings than enforcement actions. However, in a highly competitive market like Hong Kong, it may be that the brand-hit that comes with a warning could be almost as damaging as a fine or other action. Especially given the regulators willingness to listen and provide advice, it seems especially prudent to err on the side of caution and communicate with the PCPD if you’re considering an innovative use of data on the island.