Biometric data falls within the definition of personal data for the purposes of the PDPO, both in the form of physiological data with which individuals are born and behavioural data developed by an individual after birth. is in a form in which access to or processing of the data is practicable. Local data protection laws and scope. The Personal Data (Privacy) Ordinance (Cap. the purposes for which the personal data will be used; whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information; the classes of persons to whom personal data may be transferred or disclosed; if applicable, information about the use and/or provision of personal data for direct marketing; and. There are also sector-specific guidelines, such as the Guideline on Medical Insurance Business, which advises that authorised insurers and licenses insurance intermediaries should at all times, exercise due care and diligence in collecting, handling, storing, using, transferring and erasing customers personal data and comply with the PDPO and its guidance. Section 161 of the Crimes Ordinance (Cap. The PCPD may conduct an investigation where it (i) receives a complaint on a possible breach of PDPO; or (ii) has reasonable grounds to believe that there may be a contravention of the PDPO (s.38 of the PDPO). The PCPD has published Guidance for Mobile Service Operators, providing practical guidance to mobile service operators to comply with the PDPO in their business operations e.g. The Consultation Paper conducts a comprehensive comparison of the cybercrime laws in seven other jurisdictions, namely Australia, Canada, England and Wales, Mainland China, New Zealand, Singapore and the USA. If the proposed Hong Kong cybersecurity legislation does mirror the PRC Cybersecurity Law, CII operators will be subject to an additional set of legal requirements, such as the creation, improvement and maintenance of internal cybersecurity systems; self-assessment regarding the sensitivity of data collected; and formal application for data transfers. 1. [1] Any measures for ensuring secure transmission of the data. For complete lists, please refer to the dedicated pages for circulars, FAQs and thematic . A key takeaway is the possible extra-territorial application of the New Cybercrime Offences. This note provides an overview of the legal framework in Hong Kong as it relates to cybersecurity and cyber crime, focusing on what organisations can and must do to protect individuals data from attempted breaches, as well as the laws that criminals break in carrying out their attacks. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). For further information on direct marketing see question 23 below. Separately the Chief Executive of the Hong Kong Monetary Authority . To embed, copy and paste the code into your website or blog: Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: [HOT] Read Latest COVID-19 Guidance, All Aspects [SCHEDULE] Upcoming COVID-19 Webinars & Online Programs, [GUIDANCE] COVID-19 and Force Majeure Considerations, [GUIDANCE] COVID-19 and Employer Liability Issues. As the organisation engages the third-party to collect or track user behaviour, it is the organisations responsibility to understand from the third-party what information is being collected and the means by which the information is collected. The details of the legislative proposal are not yet available. See further details on this below. The PCPD recommends that organisations: Online tracking information held by data users should be accurate, should not be kept for longer than necessary, and should only be used for the purposes originally stated at the time of collection. Hong Kong news Independent, impartial, non-profit. A Q&A covering the essentials of cybersecurity in Hong Kong, including key legislation, enforcement and best practices. Under the PDPO there is currently no specified data retention period nor any statutory obligation to maintain a data retention policy. prevent any personal data transferred from being kept longer than is necessary for processing (DPP2(3)); and. In these circumstances, explicit and voluntary consent from the data subject must be sought in compliance with DPP3. Data protection authority The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk 3. This can prove difficult in practice since class actions are not permitted in Hong Kong and individual losses may not be sufficient to justify a data subject bringing a claim. The maximum penalty for an offence under the PDPO is a fine of HK$1 million and imprisonment for 5 years (depending on the provision breached). In practice, data users provide a Personal Information Collection Statement (PICS) or privacy notice. Hong Kong Cyber Fraud First Response Portal. Please refresh the page and/or try again. the PCPD is of the opinion that an investigation is unnecessary. On 8 October 2021, the Hong Kong SAR Government implemented the Amendment Ordinance, which amends the PDPO to include new doxxing offences. Top Master Programs in Cybersecurity in Hong Kong 2022/2023. If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use (s.35G of the PDPO). Sections 20 and 24 of the PDPO provide certain exceptions to a data users obligation to comply with data access or correction requests, for example where the data subject does not supply enough information to verify his/her identity. Using personal data for direct marketing purposes. There are no minimum contract terms, or standard contractual clauses, required for processors of personal data. Hong Kong has its own data protection rules which are not affected). The law, which is currently at the . The PCPD has issued the Code of Practice on Human Resource Management to provide practical guidance to data users performing human resource management functions and activities. The scammer would then gain access to the CEO's or the executive's email account, send emails to employees requesting money, and then slip into the payment flow to intercept payments from the employees. Please see question 28 above. respect any users wish not to be tracked or to offer users a way to opt out of the tracking (especially if this is conducted by third-parties) and inform them of the consequence of opting out. The publication examines the key highlights, challenges and considerations of the Law, which focus on areas like personal information protection, critical information infrastructure, network operators, preservation of sensitive information, the . the PCPDs power to direct the removal of doxxing content and issue cessation notices with extra-territorial effect. Personal data should be processed securely, only kept for as long as necessary and use of the data should be limited to or related to the original collection purpose. Under DPP2, data users must take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related . 455) (OSCO) provides an offence for any person (including a victim) to make a payment to a person when they know or have reasonable grounds to believe that the ransom payment represents the proceeds of an indictable offence. The Amendment Ordinance provides for four statutory defences for the two-tier doxxing offences (see question 1 above) including: The PDPO does not impose data protection by design or data protection by default as requirements. Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions; Personal data relating to staff planning and personal references; Personal data held for the purposes of prevention or detection of crime, the apprehension, prosecution or detention of offenders and other similar provisions; Where personal data is disclosed to a data user involved in news activity and the disclosing person has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting is in the public interest; and. The key personal data protection framework in Hong Kong is in the PDPO. We don't just protect business value, we create it - using cybersecurity and privacy as a tool to transform businesses. DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in South Korea. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. These . Silence cannot constitute consent. Selina Cheng is a Hong Kong journalist who previously worked with HK01, Quartz and AFP Beijing. : Data Protection & Cyber Security. The Security Bureau and the Innovation and Technology Bureaus are conducting a joint study, paving the way for a legal framework that will require compliance from private companies, statutory bodies and government departments on cybersecurity, government sources told HKFP. The Draft Regulations are intended to implement portions of three existing laws: the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. On May 28, China's national legislature, the National People's Congress (NPC . See question 28 above. On June 1, 2017, China's Cybersecurity Law went into effect, marking an important milestone in China's efforts to create strict guidelines on cyber governance. This report provides an overview of China's Cybersecurity Law, which was adopted in November 2016 and will come into effect on 1 June 2017. However, online tracking activities must comply with the provisions of the PDPO. The PCPD has recommended in its Guidance on Data Breach Handling and the Giving of Breach Notifications that data users should notify the PCPD about data breaches as part of recommended practice for proper [data breach] handling. Personal data covered by legal professional privilege. Protiviti's cybersecurity consultants have deep expertise in IT cybersecurity, managing technical and business risks. Non-compliance with any mandatory provisions of the Code will count unfavourably against the data user both in any investigation before the PCPD, and in any judicial case related to any alleged breach of the PDPO. making telephone calls to specific persons. Industry-specific regulators also have their own powers to enforce any breach of their own regulatory framework, and to impose sanctions applicable to the relevant regulatory breach. Different offences are scattered over various ordinances, including the following: The New Cybercrime Offences are as follows: The New Cybercrime Offences, except for illegal interception of computer data, come in an aggravated form if further criminal activities or a high degree of severity is involved. The details that will define the policy effect and direction of the proposed laws will be: the proposed scope of terms such as CII operators. This strategy also highlights the importance of cybersecurity legislation. DPP1(1)(a) provides that personal data must not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data, while DPP1(3) requires that the data subject be notified explicitly of certain information related to the collection of data before the first collection (save for limited circumstances). There is currently no obligation to consult with the PCPD, or to issue data breach notifications to the PCPD. The PCPD may issue written notices to persons who may be able to assist the PCPDs investigation to require the provision of materials and assistance (s.66D of the PDPO). The Amendment Ordinance also contains additional investigation powers in respect of the two-tier doxxing offences. This includes where a data user contravenes the requirements of an enforcement notice. Hong Kong has seen a series of cybersecurity attacks, such as when a local airlines cache of client data was stolen, or when the Hospital Authority saw its patients data hacked. Since Beijing enacted the new national security law tailor-made for Hong Kong on June 30, the business community in the city has expressed concern over the legislation that gives authorities broad . The PCPD has indicated across several of these guidance notes that sensitive personal data should be encrypted when transmitted, processed or stored. the complainant has known about the act complained of for more than 2 years immediately preceding the date of receipt of the complaint; the complaint is substantially similar in nature to a previously initiated investigation in which the PCPD found no contravention of PDPO; or. Allen & Overy LLP var today = new Date(); var yyyy = today.getFullYear();document.write(yyyy + " "); | Attorney Advertising, Copyright var today = new Date(); var yyyy = today.getFullYear();document.write(yyyy + " "); JD Supra, LLC. The Content is protected under international copyright conventions. It also covers the powers available to the Privacy Commissioner for Personal Data, Hong Kongs personal data privacy regulator, and what organisations should do if a breach occurs. An appeal against an enforcement notice issued by the PCPD can be made to the Administrative Appeals Board within 14 days after the notice is served (s.39 of the PDPO). The PCPD has recommended that businesses should report a data security breach as part of proper data breach handling. Please click on the frequently searched terms or enter keywords for an advanced search. Focus on cybersecurity and privacy to achieve your goals. Australia: Data Protection & Cyber Security Law, Brazil: Data Protection & Cyber Security Law, China: Data Protection & Cyber Security Law, Germany: Data Protection & Cyber Security Law, Greece: Data Protection & Cyber Security Law, India: Data Protection & Cyber Security Law, Ireland: Data Protection & Cyber Security Law, Italy: Data Protection & Cyber Security Law, Mexico: Data Protection & Cyber Security Law, Morocco: Data Protection & Cyber Security Law, Pakistan: Data Protection & Cyber Security Law, Portugal: Data Protection & Cyber Security Law, Romania: Data Protection & Cyber Security Law, Singapore: Data Protection & Cyber Security, South Korea: Data Protection & Cyber Security Law, Sweden: Data Protection & Cyber Security Law, Switzerland: Data Protection & Cyber Security Law, Thailand: Data Protection & Cyber Security Law, The Netherlands: Data Protection & Cyber Security, Turkey: Data Protection & Cyber Security Law, UAE: Data Protection & Cyber Security Law, United Kingdom: Data Protection & Cyber Security Law, United States: Data Protection & Cyber Security Law. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes. Hong Kong PDPO Compliance and Cybersecurity Read Time: 5 min. The type and sensitivity of personal data is also relevant in considering whether to give a voluntary data breach notification the PCPDs non-binding Guidance on Data Breach Handling and the Giving of Breach Notifications suggests giving a data breach notification to data subjects where there is a reasonably foreseeable real risk of harm arising from the data breach. This has highlighted the need for more robust, updated and comprehensive cyber legislation in Hong Kong. Master PhD Law . . The Securities and Futures Commission (SFC) has also issued guidance and FAQs and circulars on cybersecurity most recently in relation to internet trading, remote office arrangements, and use of external electronic data storage. You also have the option to opt-out of these cookies. While data processors are not subject to the PDPO, data users that use data processors to process personal data on their behalf (or for their purposes) are liable for any violations of the PDPO by the data processor as if they were processing the personal data themselves. The Cybersecurity Law of the PRC ("CSL") has been in effect since June 1, 2017. The proposal came a few days after the cybersecurity regulator launched reviews into the data collection practices of three Chinese tech companies that recently listed in the U.S.: Didi Chuxing,. A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data users instructions will be carried out). 593)). Responses are due on 19 October 2022. In addition to the general requirements of the PDPO, the Electronic Health Record Sharing System Ordinance (Cap. Under the New Cybercrime Offences, ransomware would be considered an offence of making available or possessing a device or data for committing a crime. On November 14, the Cyberspace Administration of China (CAC) released the draft Regulations on the Administration of Network Data Security . Personal Data (Privacy) (Amendment) Ordinance 2021. This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in 2021 representing a 162% increase on the 2020 figure alone. We are expecting further updates and guidance around cybersecurity and cybercrime legislation. The PCPD has published the Guidance on Property Management Practices to assist property management bodies in understanding and complying with the PDPO in specific situations which may arise during their operations. Law Firms: Be Strategic In Your COVID-19 Guidance [GUIDANCE] On COVID-19 and Business Continuity Plans. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. The official position of Hong Kong law enforcement authorities is that they do not recommend paying a ransom. For the summary offence of illegal access to programs or data, the HKLRC is of the view that the Hong Kong courts should only have jurisdiction where the act constitutes a crime in the jurisdiction where it was performed. Selina has studied investigative reporting at the Columbia Journalism School. Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit, Hong Kong Free Press is #PressingOn with impartial, award-winning, frontline coverage. In determining what constitutes practicable steps, the data user should consider: There is no statutory definition of security breaches. US$1,300 US$1.3 million) and/or imprisonment for up to 6 months 5 years. Data processing operations are governed by the Federal Data Protection Act ( Bundesdatenschutzgesetz - BDSG) of 30 June 2017, as last amended by Article 12 of the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 . Data processors are not directly regulated under the PDPO. Organisations which use online tracking technologies should also adopt privacy-enhancing technologies to minimise the risk of personal data exposure, such as encryption or hashing to maintain data confidentiality, a robots exclusion protocol to prevent search engines from indexing websites, and anti-robot verification to stop databases from being downloaded in bulk by automation. 227) (i.e., six months) is too short in relation to summary proceedings for the New Cybercrime Offences. However, Hong Kong generally follows the Common Law and the English Court of Appeal held that a ransom payment only becomes criminal property in the hands of the recipient (in the case of a cyberattack, the threat actors), rather than when in the hands of a payer (R v L & Ors [2005] EWCA Crim 1579, dealing with the position under s.327 of the English Proceeds of Crime Act 2002). Hong Kong, found on the south coast of China, the country is one of the two Special Administrative Regions in the Republic of China. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions. If a website deploys third-party cookies, regardless of whether any personal data is involved, it should state clearly what kind of information the cookies collect, to whom the information may be transferred and for what purposes. any person disclosing personal data obtained, without consent from the data user with intent to gain or cause loss to the data subject, or where the disclosure causes psychological harm to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.64 of the PDPO). In particular, this sets out that authorised insurers are expected to put in place and maintain a cybersecurity strategy and framework. Despite the ability to rely on implied consent for primary data use, it is advisable to obtain written consent (which may be indicated by a signature or a tick box). The Hong Kong national security law will have implications for privacy, cybersecurity, data, and trade issues. LOADING PDF: If there are any problems, click here to download the file. The PDPO contains specific provisions restricting cross-border transfers of personal data, but these have never been brought into force. The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). Where direct communication with a data subject is not possible, the data user should consider other practical alternatives to bring the notice to the attention of the data subject such as including a PICS or privacy notice on the relevant website. For example, in the collection of customers medical data and PII, and the engagement of private investigators in insurance claims. While Hong Kong has yet to enact specific legislation on cybercrime or cybersecurity, this will soon change with the announcement of the proposal to enact a new cybersecurity law during the Chief Executive's 2021 Policy Address ("2021 . The PDPO also includes provisions prohibiting the transfer of personal data outside Hong Kong (and the transfer between two jurisdictions outside Hong Kong where the data user is in Hong Kong) unless certain conditions are met. Organisations should inform users of the nature of such third-parties, purpose and means of collection, retention period and whether such information collected would be further transferred to other parties by the third party; and. The Circular sets out the SFC's key areas of concern and recommended cybersecurity controls which the LCs are expected to follow. Hong Kong was always meant to have a security law, but could never pass one because it was so unpopular. If cookies are used to collect behavioural information, it is also recommended that a reasonable expiry date for the cookies is pre-set, that the contents of the cookies are encrypted whenever appropriate, and that organisations do not deploy techniques that ignore browser settings on cookies unless they can offer an option to website users to disable or reject the cookies. While it has yet to be determined which infrastructure or companies are considered critical, they may include public utilities, internet service providers and transport, the sources said. All data users are required to comply with the six DPPs, summarised as follows: Contravention of any of the DPPs is not a direct offence of itself, although the PCPD can investigate and issue a public enforcement notice, breach of which is an offence. A main objective of the DPPs is to ensure that collection of personal data is minimal and conducted on a fully-informed basis and in a fair manner. Dominic's practice focuses on advising clients on matters relating to anti-corruption, white-collar crime, law enforcement, regulatory and compliance matters in Hong Kong, including advice on anti-money laundering. Hong Kong Stock Exchange, the world's third-largest financial bourse, has always . Reach out for general data protection regulation (GDPR) compliance, China cybersecurity law, security breach, data security and privacy, and penetration testing. 2. International Legal Framework for Cyber Security 2.1 Political Agendas and International Law Cyber security is now routinely cited and consistently placed on the top of political agendas.
Mui Datagrid Localization, Progress Kendo Angular Toolbar, Dokkan Battle Android 21 Team, Sensitivity Python Sklearn, Matlab Project Ideas For Electrical Engineering, Bluenoses Crossword Clue, What Is Qualtrics Survey, 3d Surround Music Player Mod Apk 2021, Medical Assistant Travel Jobs Salary Near Warsaw, Shadowcloak Of Nocturnal Mod, Kendo Mvc Grid Dynamic Columns,