InvestHK, the Hong Kong Special Administrative Region government department responsible for promoting foreign direct investment, has confirmed that no personal data was compromised during a ransomware attack on Feb 22. Moreover, the department has also been able to resume normal operations since then and no further suspicious activities have been identified.
However, the incident should serve as a reminder that it is essential for businesses to take the appropriate security measures to prevent personal data from being compromised. This is particularly important in an environment where cyber attacks are increasingly commonplace and companies are relying on data to run their business.
Aside from the fact that a data breach could be costly, it could also lead to severe regulatory action. Regulatory authorities such as the Privacy Commissioner for Personal Data (PCPD) and the Information Commission of Hong Kong may fine companies who are found to be in violation of their data protection obligations. In addition, the PCPD has the power to order remedial action or compensation from data users who have failed to comply with the six core DPPs of the PDPO.
If a company is transferring personal data to an overseas recipient, it is important that it considers its obligations under the PDPO before making such a transfer. Firstly, it is necessary to determine whether the data being transferred meets the definition of ‘personal data’ under the PDPO. For this purpose, the PDPO defines ‘personal data’ as data that concerns an identifiable person.
This includes information such as the name, address, telephone number, email address and other data that can be used to identify a person. However, it does not include data that is only capable of being used to describe a particular group of people such as a gender, ethnicity or profession.
In this respect, it is worth noting that the PCPD’s recommended model clauses for data transfers contain provisions that require a data user to ensure that the data processor will not use or permit any sub-processor to use personal data transferred to it in a location outside of Hong Kong other than in places that have been expressly agreed with the data user. The same model clauses also require the data processor to undertake that any processing of the transferred personal data that is necessary for the purposes of the contract will be carried out in accordance with the terms of the data transfer agreement and the PDPO’s DPPs.
The next step is to consider whether the personal data that is being transferred relates to an identifiable person. If it does not, then it is unlikely that the PDPO’s obligations in respect of data transfer will apply.
Lastly, it is important to consider the intention of the person acquiring the data. If he is merely collecting the data for marketing purposes, then it is unlikely that his obligation to provide a PICS will arise and issues in respect of data transfer may not even come up for consideration.