Produced in partnership with Carmen Tang of Hugill & Ip
Penalties for Data Privacy Breaches
8 June 2021 | PDF Version
Although data is an intangible concept, it is abundant in the modern world. To constitute ‘personal’ data, the data must fulfil three requirements pursuant to s2 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”):
- The data must relate directly or indirectly to a living individual;
- It must be possible from such data to directly or indirectly determine the identity of the individual; and
- The data must be in a form in which access or processing is practicable.
There’s a very small ‘naughty corner’ for data breach
Data users are required to comply with the six data protection principles (“DPP”) set out in section 4 of the PDPO. In brief, they concern:
- DPP1 – Purpose and manner of collection;
- DPP2 – Accuracy and duration of retention;
- DPP3 – Use;
- DPP4 – Security;
- DPP5 – Information to be generally available;
- DPP6 – Access for data users.
At present, the Privacy Commissioner for Personal Data (“the Commissioner”) has no statutory power to impose an administrative fine where a data breach occurs. Penalties under the PDPO currently arise only where the Commissioner has issued an enforcement notice under s 50 to the data user, and the data user fails to comply. Pursuant to s 50A of the PDPO first conviction, the data user in breach may receive a maximum fine of HK$50,000 and 2 years imprisonment (with a daily penalty of HK$1,000 if he/she continues to contravene the enforcement notice); on second conviction, the fine increases to a maximum of HK$100,000 and 2 years imprisonment (daily penalty for continued contravention increases to HK$2,000).
Since the PDPO came into force in 1996, there have been relatively few convictions. In any case, the convictions were mostly for direct marketing offences. Additionally, most fines imposed by courts are relatively low. This means the deterrent effect are relatively low.
Legislative amendments may be on the way
Some of the most well-known cases of data breach reflect the much-needed amendment to increase the Commissioner’s powers. For example, Cathay Pacific Airways was fined the maximum £500,000 (approx. HKD$5 million) by the British Information Commissioner’s Office (“ICO”) for a data breach in 2018 that affected over 9 million customers globally. Due to the timing of the breach, the ICO treated the breach as falling under the previous UK data protection legislation (Data Protection Act 1998), rather than the General Data Protection Regulation (“GDPR”) of the European Union. Under the GDPR, Cathay Pacific could have been fined £470 million, representing the maximum allowed 4% of the company’s global annual turnover. In contrast, the Commissioner merely served an enforcement notice on the company.
However, not all hope is lost. On 20 January 2020, the Constitutional and Mainland Affairs Bureau together with the Commissioner published a paper for discussion at the Legislative Council. It detailed a review of the PDPO, introducing six proposed amendments. Most pertinent include conferring the Commissioner with powers to impose direct administrative fines, referencing the maximum fine under the GDPR and considers introducing administrative fines which will be linked to annual turnover of the data user. Additionally, the proposed amendments introduce a mandatory notification mechanism in the case of a data breach, which does not currently exist in the PDPO. The data user will be mandated to report the breach to the Commissioner within a specified time frame. The proposals also consider notification to data subjects.
Although imposition of administrative fines is not a power held by all data privacy regulators (such as Australia, New Zealand, and Canada do not have fining powers), the UK, Singapore, South Korea, and the EU do. The proposed amendments aim to strengthen Hong Kong’s data privacy protection by more closely aligning the PDPO with the EU’s GDPR.
Remedies for the data subject
Pursuant to s.66 of the PDPO, the data subject may seek compensation from the data user for damage caused by contravention of the PDPO.
A recent example: Tsang Po Mann v Tsang Ka Kit and anor.  HKCU 665
In early 2021, the District Court found in favour of a plaintiff who brought a case under s.66 of the PDPO for compensation for injury to her feelings. However, note that this case was related to the tort of defamation, different from the traditional data breach cases, which often stem from data leakages.
Tsang (“Plaintiff”) brought a defamation case against her uncle and aunt (together the “Defendants”); the parties lived in the same village in Shatin, with the uncle being the village representative. In November 2015, a letter was sent to the Plaintiff’s place of work; the Plaintiff was employed as a native-speaking English teacher at a primary school.
The letter was addressed to the Principal and English Panel Chairperson, containing four video captures (“Photos”) and the following words underneath:
"Miss Tsang Pomann, 當作自己是英國人，常用英語與鄰居吵罵, 擅自開啟他人閘門, 帶狗隻隨處便溺"
The English translation would go as:
"Miss Tsang Pomann, pretends to be English, always quarrels with neighbours in English, opens other peoples gates without consent, and let her dog foul everywhere"
Relevant to this article are the photos included in the letter, which were obtained from footage from ten CCTV cameras installed at the Defendants’ home, and set up by the Uncle. The Plaintiff’s case was the Defendants were in breach of two DPPs, as set out in s.4 and schedule 1. The Plaintiff claimed the Defendants breached:
- DPP 3(1) which provides that data should not be used for a new purpose without the prescribed consent of the data subject; and
- DPP 4(1) which requires data users to take all practicable steps to ensure that any personal data is protected against unauthorised or accidental access.
Consequently, the Plaintiff claimed (under s.66(1)) she suffered damage by reason of contravention of the abovementioned requirements. Section 66(2) entitles injury to feelings to fall under damage in s.66(1).
The judge found the Defendants were data users within the meaning of the PDPO, and the publication of the Photos obtained from the CCTV footage by way of the letter sent to the Plaintiff’s workplace constituted use of personal data for a new purpose.
The key issue was whether the Plaintiff was able to prove she suffered damage by reason of the Defendants’ contravention of the DPPs. The Plaintiff stated
‘upon discovery of the Letter, she had been unable to sleep well and always felt paranoid and feared that she would be watched and filmed all the time. Whenever she heard noises outside her window she became very nervous. She had to seek medical assistance and was prescribed sleeping pills on one occasion.’ [at 129]
This was accepted by the Court, rejecting the Defendants’ submission that the Plaintiff’s claim was not genuine, and she did not suffer injury to her feelings, as the judge found ‘no culpable delay of her claim which can disprove its validity’ [at 131]. As the Plaintiff’s counsel did not address the appropriate amount of compensation payable under s.66, the judge assessed quantum of damages by reference to other discrimination cases and taking into account the gravity of injury to the Plaintiff’s feelings, and the manner of misuse of the Photos. Ultimately, the Plaintiff was awarded $70,000 under s.66 of the PDPO.
In Hong Kong, the remedies and enforcement against a data privacy breach are limited. This is particularly the case where the data user is an individual, or a small company (c.f., Cathay Pacific, or other breaches by larger businesses). The lack of a mandatory breach notification provides an additional difficulty data subjects to pursue remedies. The proposals to amend the PDPO will address such issues, providing the Commissioner with greater powers to impose fines – which will hopefully have a deterrent effect and increase data users’ awareness of having a plan to address data breaches and to increase the chances that data users have a high level of protection for personal data – and allow data subjects to more efficiently seek remedies where there has been a data breach.
Disclaimer: This article is provided for reference purposes only and are not intended, nor should they be used, as a substitute for professional advice or judgment or to provide legal advice with respect to specific circumstances. If you require any legal advice or other expert assistance, please consult a competent professional adviser.
Lexis Advance® Hong Kong Practical Guidance provides up-to-date practice notes, precedents and know-how from specialist solicitors and barristers so you can work efficiently and provide advice with confidence. It also contains exclusively written content by trusted experts in the field. Hugill & Ip is one of our many expert contributors from a range of Hong Kong legal leaders.
Partner, Hugill & Ip
Carmen has worked in both the private and public sectors, including the Government and the Law Society. Qualifying in Hong Kong in 2004 and England and Wales in 2007, she started her legal career working as a commercial litigator where she advised and acted in a wide range of disputes, including those relating to the financial services sector.
Carmen’s skills as a litigator led to a call from the Privacy Commissioner for Personal Data and, in 2010, she was appointed Legal Counsel with responsibility for providing legal advice on personal data protection issues arising from complaints or compliance checks. She also advised government organisations on data privacy issues, vetted proposed legislations, and handled appeal cases on the Privacy Commissioner’s behalf.
She expanded her legal expertise further in 2012 when she became Investigation Counsel for the Law Society of Hong Kong, leading probes into alleged professional misconduct cases for the Compliance Department. The role also included leading inspection and intervention exercises and assisting prosecutors in running disciplinary proceedings. After five years as regulatory counsel, in 2017 Carmen returned to private practice as a Senior Associate – then Partner – in both Dispute Resolution and Data Privacy.
Carmen has recently advised and acted on various litigation and probate matters, including shareholders’ disputes, inheritance and dependants claims – including contentious probate actions, revocation of grants of representations and succession entitlement under interest. She also regularly advises organisations on all aspects of data protection compliance, and provides opinions on legal malpractice and professional ethics issues.
Carmen is a CEDR accredited Mediator and a member of the International Association of Privacy Professionals (IAPP). She has recently been credited as Certified Information Privacy Professional / Asia (CIPP/A) and Certified Information Privacy Professional / Europe (CIPP/E).