In determining what constitutes practicable steps, the data user should consider: There is no statutory definition of security breaches. The Insurance Authority has also issued a Guideline on Cybersecurity, which outlines the minimum standards that authorised insurers are expected to meet in relation to the handling of personal data of existing or potential policyholders. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Hong Kong's personal data protection law, which has not been significantly revised since its introduction in 1996, likely needs an update to be in line with the mainland's tougher standards.. law Hong Kong businesses with interests in the mainland of China should closely monitor recent developments to The PCPD is the designated personal data privacy regulator and an individual can complain to the PCPD if they suspect a data user has possibly breached the PDPO. Please see question 28 above. The Circular sets out the SFC's key areas of concern and recommended cybersecurity controls which the LCs are expected to follow. DPP1 and DPP3 combined mean that it is not possible to obtain a blanket consent (in a notice or agreement between the data user and data subject) that purports to give the data user the right to use personal data for any purpose whatsoever. 486) (the PDPO). The PDPO therefore adopts an initial implied consent approach. Attorney Advertising: This Content may qualify as Attorney Advertising requiring notice in some jurisdictions. The nature of the data and the damage that could result from unauthorised or accidental access, processing, erasure, loss, or use; Any physical security measures available for the equipment storing personal data; Any measures for ensuring the integrity, discretion, and competence of those with access to the data; and. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. The Office of the Communications Authority has also issued Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service, aimed at operators providing adequate security measures in their networks to protect user data communications including protecting the confidentiality and integrity of user data (among other things). The amendments fall into three categories: The Amendment Ordinance provides new two-tier doxxing offences as follows: Other proposed amendments to the PDPO were not included in the final Amendment Ordinance. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions. Hong Kong court denies bail to pro-democracy singer facing sedition charge, Covid-19: Hong Kong court rejects bid to challenge legal amendment which invalidated jab exemption certificates, Portuguese man charged under Hong Kong sedition law over online posts denied bail, Hong Kong activist changes plea to guilty in national security case against 47 democrats, Hong Kong justice dept appeals against court decision to let UK lawyer represent media tycoon Jimmy Lai, Covid-19: Finance chief Paul Chan tested positive on return to Hong Kong but not quarantined, govt says, Eviction of historic Hong Kong mahjong tile shop halted as govt considers construction plans, Canadas public broadcaster CBC shuts China bureau citing lack of visa, Shaping a sustainable recovery: Social Enterprise Summit explores how we can bounce forward post-pandemic, Covid-19: Hong Kong October arrivals down 97% compared to pre-pandemic 2019 data, Exclusive: University of Hong Kong makes library users register to access some politically sensitive books, Explainer: Hong Kongs national security crackdown month 28, Team of journalists resigned after SCMP axed 3-part series on Xinjiang abuses, ex-editor says, Hong Kong hoists T8 storm signal as Severe Tropical Storm Nalgae nears, Don't bet against China and Hong Kong and don't read too much foreign news, top Chinese regulator tells banking summit, Covid-19: Finance chief Paul Chan tested positive on return to Hong Kong but not quarantined, gov't says, Proudly powered by Newspack by Automattic. any of the exemptions specified under Part 8 of the PDPO applies. Further information on health data is set out at question 28 below. Data protection. the offering, or advertising of the availability, of goods, facilities or services; or. The PDPO defines direct marketing as: Direct marketing means are in turn defined as: It does not include communications that are not directed to a specific individual, e.g. The rapid development in technology has brought about an increasing number of cyberattacks and cybercrimes in recent years, resulting in significant challenges for law enforcement and also to the cybersecurity of critical information infrastructures (CIIs). This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in 2020 representing a 55% increase on the 2019 figure alone. Our dedicated global practice is composed of more than 80 information governance, privacy and cybersecurity lawyers based in many of the world's key risk jurisdictions. Personal data should be processed securely, only kept for as long as necessary and use of the data should be limited to or related to the original collection purpose. Personal Data Protection Ordinance (PDPO) is a privacy and personal data protection law in Hong Kong that regulates how local businesses and organizations may collect, handle and share personal data by imposing a set of privacy principles and data security obligations. Despite the ability to rely on implied consent for primary data use, it is advisable to obtain written consent (which may be indicated by a signature or a tick box). Under the Consultation Paper, the HKLRC suggests that the nature of cybercrime justifies the extra-territorial application of Hong Kong law. Such as in China the Cybersecurity Law of the People's Republic of China (the "Cybersecurity Law") was implemented on June 1, 2017, the Mandatory Data Breach Notification was approved in February, 2017 in Australia, . All data users are required to comply with the six DPPs, summarised as follows: Contravention of any of the DPPs is not a direct offence of itself, although the PCPD can investigate and issue a public enforcement notice, breach of which is an offence. The PCPD has issued Guidance on Personal Data Protection in Cross-border Data Transfer which serves as a practical guide for data users to prepare for the future implementation of these provisions. The law has attracted significant attention and criticism from foreign companies. This has been exacerbated by the global pandemic, which has forced criminals online, with the number of. Download PDF. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The details that will define the policy effect and direction of the proposed laws will be: the proposed scope of terms such as CII operators. Data Subject means a (living) individual who is the subject of personal data. China requires technology companies seeking a listing in Hong Kong to undergo a cybersecurity review as part of the sweeping new rules. On June 1, 2017, China's Cybersecurity Law went into effect, marking an important milestone in China's efforts to create strict guidelines on cyber governance. The proposed reforms include: The PCPD has recently confirmed that it is considering further amendments to the PDPO with the HKSAR Government. As companies pivot toward a digital business model, exponentially more data is generated and shared among organisations, partners and customers. The PCPD is currently reviewing the PDPO with the HKSAR Government with a view to formulating further amendment proposals. Using personal data for direct marketing purposes. China Hong Kong SAR, Australian, English, the US and a significant range of European laws, our presence and resources in . Data users are free to consider what obligations best fit the circumstances (such as the amount and sensitivity of personal data involved, the nature of the data processing and the harm that may result from a security breach), although contractual obligations implemented to fulfil the data users obligations under DPP2(3) and DPP4(2) may include: There are currently no laws or restrictions dealing specifically with tracking technologies such as cookies or profiling and automated decision making. In these circumstances, explicit and voluntary consent from the data subject must be sought in compliance with DPP3. The regulations have yet to be enacted but have definitely created ambiguities for companies looking to float in Hong Kong. However, Hong Kong generally follows the Common Law and the English Court of Appeal held that a ransom payment only becomes criminal property in the hands of the recipient (in the case of a cyberattack, the threat actors), rather than when in the hands of a payer (R v L & Ors [2005] EWCA Crim 1579, dealing with the position under s.327 of the English Proceeds of Crime Act 2002). The PCPD has issued Codes of Practice (the Codes) covering certain types of sensitive personal data, relating to: The Codes are not legally binding, but a breach of a Code by a data user can give rise to a presumption against the data user in any legal proceedings under the PDPO. Hong Kong has its own data protection rules which are not affected). Data User means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. You can change your mind at any time by visiting our cookie policypage. The PCPD has made clear that sending individuals an opt-out message is not a valid channel of obtaining consent. While it has yet to be determined which infrastructure or companies are considered critical, they may include public utilities, internet service providers and transport, the sources said. The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). When you take the new rules in the context of the existing China Cybersecurity Law (CSL), Data Security Law (DSL) and PIPL, a clear picture emerges of ten high-impact changes for non-Chinese multinationals. The past decade has seen a huge increase in the incidence of cybercrime in Hong Kong. 13 These specific provisions relate to the Crimes Ordinance, the Telecommunications Ordinance and laws related to obscenity and child pornography. It also covers the powers available to the Privacy Commissioner for Personal Data, Hong Kongs personal data privacy regulator, and what organisations should do if a breach occurs. The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. We also use third-party cookies that help us analyze and understand how you use this website. Sit confirmed that the Hong Kong Government is data subjects rights of access to and correction of their personal data, and the contact details for the person responsible for handling those requests. Depending on the section of the PDPO, a person committing an offence may be liable to a fine of up to HKD10,000 HKD1,000,000 (approx. : Data Protection & Cyber Security. 2 following the cybersecurity law, the cac issued the measures for 486). The Security Bureau and the Innovation and Technology Bureaus are conducting a joint study, paving the way for a legal framework that will require compliance from private companies, statutory bodies and government departments on cybersecurity, government sources told HKFP. A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data users instructions will be carried out). It recommends that Hong Kong courts should have jurisdiction where there is a nexus to Hong Kong (e.g., where the victim is from Hong Kong or where damages are incurred in Hong Kong). Support HKFP | Code of Ethics | Error/typo? A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO).

1930 Swing Dance Crossword Clue, What Is Informal Education Pdf, Tropical Storm Martin, Shopify Inventory Levels, My Hero Academia: World Heroes' Mission Steelbook, Baby Touch And Feel: Colors,