【原文發佈於 香港總商會月刊 – The Bulletin (May 2023)】
【Originally published in The Bulletin – Hong Kong General Chamber of Commerce Monthly (May 2023)】
香港即將大幅加強資料私隱條例的效力,預料於明年正式生效,企業應為此做好準備。
Businesses should start preparing for a major strengthening of Hong Kong’s data privacy legislation, likely to take effect within the next year or so.
政府曾於 2020 年 1 月向立法會提交的討論文件中提及有關變動。經過三年後,個人資料私隱專員(私隱專員)於今年 2 月 20 日宣布,政府及個人資料私隱專員公署有意在第二季(即 6 月底前)公布具體的修例建議,並諮詢立法會意見。
The changes were foreshadowed in a discussion paper presented by the Government to LegCo in January 2020. Just over three years later, the Privacy Commissioner for Personal Data (“Privacy Commissioner”) announced on 20 February this year that she, along with the Government, are intending to publish, and consult LegCo on, specific legislative proposals in the second quarter of this year, i.e. by the end of June.
建議修訂內容為何?香港企業最關注的變動包括:
What are these proposed changes? Those likely to be of most concern to Hong Kong businesses are:
- 大幅加重違反《個人資料(私隱)條例》(條例)的罰則。
- A significant strengthening of the sanctions for contravening the Personal Data (Privacy) Ordinance (“PDPO”).
- 規定必須向私隱專員通報重大資料外洩事故。
- Compulsory reporting of significant data breaches to the Privacy Commissioner.
- 新規定要求企業就不同類別的個人資料設定保留期限,並公開其資料保留政策。
- A new requirement on businesses to specify retention periods for different classes of personal data, and to publish the business’s data retention policy.
- 直接要求第三方資料處理者遵守條例(目前「資料使用者」,即持有個人資料的企業,須就其委託處理個人資料的第三方承辦商的行為負責,承辦商本身並無責任)。
- Direct requirements on third party data processors to comply with the PDPO (at present businesses holding personal data – “data users” – are responsible for the actions of third party contractors to whom they entrust the handling of personal data – these contractors are not themselves liable).
本文將逐一探討這些擬議修訂。
This article looks at each of these proposed changes in turn.
加重罰則
Strengthening of Sanctions
現時,私隱專員不得直接向違反條例的企業施加罰則。專員必須先發出「執行通知」,指令有關企業糾正其違規行為。只有在違反執行通知的情況下,專員方可尋求法庭作出懲處。
Currently, the Privacy Commissioner cannot directly impose penalties on businesses that contravene the PDPO. The Commissioner must first issue an enforcement notice on the business, directing it to remedy the contravention. Only if the enforcement notice is breached can the Commissioner then ask the court to impose a penalty on the business concerned.
此外,違反執行通知的罰款水平相對較輕,最高罰款為 5 萬元。
Moreover, the maximum level of penalty for breaching an enforcement notice is relatively modest: $50,000.
政府提出的修例建議分為兩大方向。首先是賦權私隱專員直接判處懲罰,無須事先發出執行通知,而倘違反 執行通知,私隱專員亦無須請求法 院處以罰則;其次為上調最高罰款額,政府建議將最高罰款額與涉事企業的營業額掛鉤,惟最高罰款額有待明確。
The Government is proposing to change the law in two major respects. First, by giving the Commissioner the right to impose penalties directly, without the need to issue an enforcement notice, and without the need to go to the court asking for a penalty to be imposed if the enforcement notice is breached. Secondly, by increasing the maximum level of penalty. The Government is proposing to link the maximum level of penalty to the turnover of the business concerned. But what the maximum level will be is not yet clear.
強制通報重大資料外洩事故
Compulsory Reporting of Significant Data Breaches
政府建議引入新規定,企業不論意外或蓄意洩露個人資料(又稱「資料外洩」),都須向私隱專員通報資料外洩事故。
The Government is proposing to introduce a new requirement on businesses whose personal data is leaked – whether accidentally or deliberately (a so-called “data breach”) – to report the data breach to the Privacy Commissioner.
現行法例並無相關要求,企業可自行決定是否通報資料外洩事故。根據政府建議,企業必須於發生資料外洩後五天內作出通報,但企業可能獲准先就違規情況展開初步調查,然後才開始計算五天通報期。
Currently there is no requirement to do so: the business is free to decide whether or not to report the data breach. The Government has suggested compulsory notification within five days of the data breach, but there is a possibility that the business may be allowed an initial period to investigate the circumstances of the breach before the five day period starts ticking.
這項要求並不適用於所有資料外洩事故——倘事故涉及對當事人造成「重大損害的實際風險」,則必須作出通報。政府已表明會提供指引,列明評估事故是否涉及造成重大損害的實際風險時的考慮因素。
Not all data breaches would require to be reported – only those where there is “a real risk of significant harm” to the individuals concerned. The Government has indicated that some guidance will be offered on the factors that will be taken into account in assessing whether there is a real risk of significant harm.
資料保留政策
Data Retention Policies
現時,條例規定資料使用者須採取所有切實可行的步驟,確保個人資料不會保留超過達致使用目的所需的時間,惟未有訂明保留有關資料的期限。
Currently, the PDPO provides that data users shall take all practicable steps to ensure that personal data is not kept any longer than is necessary for the purpose for which it is to be used. It does not specify any particular periods for retention.
不過,新建議要求資料使用者須就特定類別的個人資料訂立具體的保留期限,期限視乎有關資料的使用目的而定(例如遵守稅務或僱傭法例)。
Under the new proposals, however, data users will be required to set specific retention periods for particular categories of personal data, depending on the purposes for which it is to be used (such as for compliance with taxation or employment law).
此外,資料使用者目前須公開個人資料政策,其內容將包括資料保留政策。
In addition, data users would be required specifically to include a data retention policy in the personal data policy that they are already required to publish.
第三方處理者的直接責任
Direct Liability of Third Party Processors
企業不時要把其持有的個人資料轉移予第三方承辦商,並委託其處理有關的個人資料。這些承辦商(條例稱之為「處理者」)包括儲存公司(公司未必具備充足的數據儲存能力)、債務追收代理,或合辦客戶推廣活動的公司等。
Businesses often have to transfer the personal data they hold to third party contractors, and entrust them with the handling of the personal data. These contractors (or, to use the Ordinance’s terminology, “processors”) could, for example, be storage companies (where the company does not have sufficient physical capacity to store the data); debt collection agencies; or companies with which they are engaging in joint promotional campaigns to customers.
根據現行法例,資料使用者須以合約方式或其他方法,確保其委託的第三方處理者保障個人資料的安全,以及保留個人資料的時間不會超過實際所需。倘資料使用者未能遵守規定,或其採取的措施失效,則資料使用者有可能違反條例,而非由第三方處理者承擔責任。
Currently, the PDPO requires date users who engage such third party processors to use contractual or other means to ensure that these processors ensure the security of the personal data, and do not keep it for longer than is necessary. If the data user fails do this, or if the measures it has put in place fail, it is the data user that is potentially liable for contravention of the PDPO, not the third party processor.
隨着委託第三方處理個人資料的做法日益普及,政府建議倘第三方處理者未能確保個人資料的安全,或保留個人資料超過所需的時間,亦應為此負上直接責任。
Given the increasing use of third party processors, the Government is proposing to impose direct liability on them, if they fail to ensure the security of personal data, or keep it for longer than is necessary.
為了在新規定生效後符合要求,第三方處理者顯然需要設立資料保障制 度。另一方面,資料使用者是否須繼續遵從現行要求,以合約或其他方式確保處理者合規,則仍有待確定。換言之,倘發生違例、資料外洩事故,或資料保存時間超過實際所需的情 況,資料使用者和處理者是否須就此承擔責任,仍屬未知之數。
Third party processors will clearly need to make extra-sure that they have systems in place to comply with these new requirements, if they become law. For data users, it is not yet clear whether their existing requirement, to have contractual or other means to ensure the processors’ compliance, will continue apply. In other words, it is not clear whether the data user could be held liable for a breach of the PDPO, as well as the processor, if there is a data breach, or if data is kept longer than is necessary.
結論 Conclusions
到目前為止,政府就建議公布的細節有限,若干議題仍有待釐清,包括最高刑罰、構成「重大損害的實際風險」而必須向專員通報資料外洩事故的要素,以及一旦資料處理者外洩資料,資料使用者和資料處理者分別須承擔的責任。如上所述,政府計劃於今年第二季向立法會提交具體建議,屆時可能會出現「魔鬼細節」。
So far, only limited details of the Government’s proposals have been published, and several issues have not yet been clarified. These issues include the maximum level of penalty, what will constitute a “real risk of significant harm” such as to trigger mandatory notification of a data breach to the Commissioner, and the respective liabilities of the data user and data processor if the latter is responsible for a data breach. So the “devil will be in the detail” of the specific proposals that the Government presents to LegCo. As noted above, it is intending to do so in the second quarter of this year.
有關提案至今獲立法會議員廣泛支 持,預料立法程序將可在短期內完 成,故企業宜密切監察修例的進展。
Businesses would be well-advised to monitor these developments closely. This is especially the case, as the proposals thus far seem to have enjoyed considerable support amongst LegCo members, and the proposals may therefore be expected to proceed swiftly through the legislative process.