The Mainland began to implement the "Personal Information Protection Law" last month, which is the country's first special law for the protection of personal data.
Hong Kong’s Personal Data Privacy Commissioner Zhong Liling recently wrote in a newspaper that it “reflects the latest international standards for the protection of personal information”, calling on Hong Kong companies carrying out personal data processing activities in the Mainland to understand and abide by the relevant regulations, and to promote the Privacy Commissioner The "Personal Information Protection Law" pamphlet published by the Office.
When the EU introduced the General Data Protection Regulation in April 2016, the then Privacy Commissioner Huang Jier also stated: “As long as Hong Kong institutions and companies are involved in the collection and processing of personal data of EU persons, they must comply with the General Data Protection Regulation. Prepared for the provisions of the "Regulations." After the EU "Regulations" came into effect in May 2018, the Commissioner’s Office has also launched related publications like this time for the Mainland’s "Personal Information Protection Law". ...Set an unprecedented high standard."
Privacy Commissioner Chung Liling.
(Profile picture)
Not classified sensitive information and compulsory disclosure notification
In fact, the Privacy Commissioner alone needs to remind Hong Kong companies to pay attention to compliance with the Mainland’s "Personal Information Protection Act" and the EU’s "General Data Protection Regulations", which in itself is sufficient to reflect that our own "Personal Data (Privacy) Ordinance" is under supervision. The use of personal data by enterprises and institutions is not strict enough.
If you carefully compare the contents of several personal data laws in Hong Kong, the mainland and the European Union, you can find that many provisions of the Hong Kong Privacy Ordinance are fundamentally backward and far away from the so-called international standards of personal data protection.
For example, Hong Kong law does not clearly distinguish between sensitive and non-sensitive personal data, but the Mainland regards biometrics, religious beliefs, specific identities, medical and health care, financial accounts, and whereabouts as "sensitive personal information." Data related to individual race, political opinions, religious beliefs, union status, genetics, biometrics, and sexual orientation are classified as "special categories," and all of them must meet more stringent conditions.
At the same time, both mainland China and the European Union force the handlers of data leakage incidents to report to the regulatory authorities, but Hong Kong does not have such regulations.
The European Union passed the General Data Protection Regulation (GDPR) in 2016 and implemented it in May 2018.
Among them, there are strict regulations on the use of personal data, including the government and enterprises.
The picture shows the conference on GDPR held in Brussels on June 24.
(Reuters)
Individuals have no right to request deletion or object to processing
In addition, the rights of Hong Kong data subjects are also significantly different from those of the Mainland and the European Union.
Under Hong Kong's "Privacy Ordinance", the parties only have the right to request the agency to access their own data, obtain copies of the data, and request correction of errors. However, Article 47 of the Mainland's "Personal Information Protection Law" stipulates that when the parties "personally withdraw their consent" "Personal information processors shall take the initiative to delete personal information; if the personal information processors have not deleted, individuals have the right to request deletion", and Article 17 of the EU General Data Protection Regulation also gives data subjects a similar "right to be forgotten" .
The Privacy Commissioner and the Office of the Commissioner’s Office actively introduced the Mainland’s "Personal Information Protection Law" and the EU’s "General Data Protection Regulation", reflecting that they also know that Hong Kong’s "Privacy Ordinance" is different from the two.
However, the Personal Data (Privacy) (Amendment) Bill 2021, which was introduced and passed not long ago, focused only on tackling the “prime” crime and did not have the opportunity to fill the aforementioned loopholes.
The Commissioner’s Office must communicate more with the authorities as soon as possible and continue to improve the legal system of personal data protection in Hong Kong so that it can catch up with national and international standards.
The legal risk of privacy protection in search arrangements needs to be clarified when Facebook is renamed Meta-a continuation or retrogression in the real world?
It's time for the Privacy Commissioner to change term and not be a "toothless tiger"
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/Y3OO7L2MGUGR5X2A7MOEHZAMEM.jpg)
