Good idea then, bad idea now: Privacy laws for moving your data

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Charles Mok criticizes the unimplemented “data localization” provision sought by the government. 20 years of nothing may have been the government’s best move.

Photo: Addressing Hong Kong’s leading c-suites (‘c’ level executives) at cybersecurity conference CLOUDSEC 2015, IT sector LegCo representative Charles Mok spoke about cybersecurity from a policy perspective.


Difficult and counterproductive

“We all thought it was a great idea 20 years ago,” said Mok during his speech in the Wanchai Convention Centre on 11 August. As it turned out, it wasn’t a great idea and the consequences could apply to everyone in Hong Kong.

He refers to Section 33 of the Personal Data (Privacy) Ordinance (PDPO), which was signed into law in 1995 and has languished, unimplemented, for  two decades. The provision bans the export of personal data unless certain conditions are met, one of them being that the transfer destination must have strong data privacy laws like Hong Kong. But real protection never came to be. Mr Mok questions if we even want to have this protection.

Is it going to do our industry a disservice by simply saying that all data must remain in Hong Kong?

He argues that with increasing global integration of data, it would be difficult and counterproductive to regulate the export of data.

“[During the LegCo discussions of] the electronic health record legislation that was just passed in July, we asked: ‘[If] a Hong Kong doctor is travelling in Europe and tries to access [personal medical] information [stored in] a database in Hong Kong, does that constitute a data transfer [under Section 33]?’ The answer of the privacy commissioner’s office was ‘yes’. So if that’s the case, it’s not about storing the data – you can’t even access the data.”

The Electronic Health Record System Sharing Bill, passed in committee in July, 2015, enables public and private hospitals to share personal health records after getting the consent of patients.

A “disservice” to the industry

Aside from making necessary data access difficult, Mr Mok also questions whether regulation of data transfer is a practical or sensical policy. “In today’s [globally-connected] world of Internet and cloud computing, is it even practical [to regulate data transfers]? Is it going to do our industry a disservice by simply saying that all data must remain in Hong Kong?” Mr Mok asked.

According to Mark Parsons and Peter Colegate, partner and lawyer of multinational law-firm Hogan Lovells, respectively, the provision would negatively affect “many outsourcing and offshore service arrangements [involving] service providers accessing data on the customer’s local servers.”

Even if they bought it, they don’t have to come to our Financial Committee to get money for that, so we wouldn’t know.

Furthermore, the new provision also restricts “processing of a Hong Kong subsidiary’s personal data by another affiliate in the same group offshore”. This would affect many foreign “centralised group databases and shared services centres” owned by multinational corporations operating in Hong Kong.

Regarding recent high profile cross-border phone scams involving data transfers to the Mainland, the new Privacy Commissioner Stephen Wong Kai-yi said the Commission could not be involved due to Section 33 lack of implementation.

Raymond Tam, Secretary for the Constitutional and Mainland Affairs Bureau (CMAB), told LegCo in April that the CMAB is working with the Privacy Commissioner to prepare for the implementation of Section 33, but he did not provide a date for when it would be done.

Overstepping boundaries

In his speech in the CLOUDSEC 2015 conference, Mr Mok also raised concerns about the Independent Commission Against Corruption (ICAC) looking into using surveillance programs provided by Italian surveillance technology company Hacking Team, revealed by leaked emails between ICAC’s principal investigator Simon Tse Yiu-keung and Hacking Team’s Singaporean branch.

This is not easy, but privacy and security – they both matter.

“There’s no proof that they have bought [the surveillance program from Hacking Team]. But of course, even if they bought it, they don’t have to come to our Financial Committee to get money for that, so we wouldn’t know. But the ICAC told us they haven’t bought it and that they were just asking for information. I actually wrote a letter more than a month ago to the ICAC Commissioner to ask for more details, and he said, ‘We cannot disclose any operational details.’”

In addition, Mr Mok warned against government overstepping boundaries in future cybersecurity legislation.
“Is [cybersecurity legislation] simply going to make it easier for government to get records from companies or from citizens? Is it going to infringe upon the right to access the internet? …I do believe that we have to try to find a balance in trying to respect personal rights, personal privacy, and freedom, while at the same time making sure that we find effective tools to fight cyber threats, which remain very important and will just continue to happen. This is not easy, but privacy and security – they both matter.”