Académique Documents
Professionnel Documents
Culture Documents
2
Cloud Computing and Personal Data Privacy
Bottom Line
Outsourcing
Organisations are data
Organisations need to fully responsible for processing ≠
maintain control personal data outsourcing
protection
legal
responsibility
3
Cybersecurity Law
4
Mainland’s Data Protection Regime
5
Mainland’s Cybersecurity Law
• Effective on 1 June 2017 Guarantee
• Does not apply in HK cybersecurity
Promote sound
development Safeguard
of economic cyberspace
and social sovereignty
informatisation Objectives
[Art. 1]
Protect lawful
Safeguard
rights and
national
interests of
security and
citizens, legal
public
persons and
interest
other orgs.
6
Mainland’s Cybersecurity Law
Scope of Application:
7
How May Cybersecurity Law Affect
Hong Kong Businesses?
• Processing of personal
data by a Hong Kong-
Then • Both the Personal Data
based business is
regulated by Hong (Privacy) Ordinance and
Kong’s Personal Data the Cybersecurity Law
• The processing also may apply to the
(Privacy) Ordinance, but involves construction,
not Mainland’s processing activities
operation, maintenance
Cybersecurity Law or use of networks in
the mainland of China
Unless
8
Comparison between
Cybersecurity Law and PDPO
Collection & Use
10
Comparison between
Cybersecurity Law and PDPO
Cross-border Data Transfer
11
What is Critical Information
Infrastructure under Cybersecurity Law?
Examples of Critical Information Infrastructure
(CII) under Cybersecurity Law:
15
PDPO – GDPR Comparative Study
Background
• Keep abreast of overseas privacy law developments
16
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Application Data processors or controllers: Data users (controllers /processors)
• processing personal data in the who, either alone or jointly or in
context of activities of EU common with other persons, control
establishments, or the collection, holding, processing
• with an establishment in the or use of the personal data in or
EU, or from Hong Kong. [s.2(1)]
• established outside the EU,
that offer goods or services
to, or monitor the behaviour of
individuals in the EU. [Art 3]
EU HK
Personal Data "Personal data" means "Personal data" means any
• any information relating to an data –
identified or identifiable natural • relating directly or indirectly to a
person; an identifiable natural living individual;
person is one who can be identified, • from which it is practicable for the
directly or indirectly. identity of the individual to be
• examples of personal data directly or indirectly ascertained;
explicitly identified being extended and
to include location data and online • in a form in which access to or
identifier. processing of the data is practicable.
[Art 4(1)] [s.2(1)]
19
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Sensitive Category of sensitive personal data No distinction between sensitive and
expanded. non-sensitive personal data for all
Personal Data Processing of sensitive personal purposes.
data is allowed only under specific
circumstances. [Art 9]
20
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Consent Consent must be Consent is not a pre-requisite for the
• freely given, specific and collection of personal data, unless
informed; the personal data is used for a new
• an unambiguous indication of a purpose.[DPP1&3] For other
data subject's wishes, by statement purposes, where consent is also
or by clear affirmative action, which required, consent means express and
signifies agreement [Art 4(1)]; and voluntary consent.
• given by a child below 16 (or 13)
with parental authorisation. No requirement for parental consent.
21
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Breach Data controllers are required to No mandatory requirement, but
notify the authority of a data notification to the Privacy
Notification
breach without undue delay Commissioner (and data subjects,
(exceptions apply). where appropriate) is recommended
Data controllers are required to in the interest of all stakeholders
notify affected data subjects if it including data users/controllers and
is likely to result in high risk to subjects.
the rights and interests of the
data subjects, unless
exempted. [Arts 33-34]
22
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Data Data processors are additionally Data processors are not directly
obliged to maintain records of regulated. [s.2(12)]
Processors
processing, ensure security of Data users are required to adopt
processing, report data breaches, contractual or other means to ensure
designate Data Protection data processors' compliance.
Officers, etc. [Arts 30, 32-33, 37] [DPP2(3) & DPP4(2)]
EU HK
New and Enhanced • Right to notice on data • Less extensive notice
processing. [Art 13-14] requirements for data users /
Rights for • Right to erasure of personal controllers (processors).
Data Subjects data ("right to be forgotten"). • No right to erasure, but data
[Art 17] shall not be retained longer than
necessary.
[s.26 & DPP 2(2)]
24
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
New and Enhanced • Right to restriction of • No right to restriction of
processing and data portability. processing and data portability,
Rights for Data [Art 18, 20] but data access
Subjects (con’t) • Right to object to processing and correction requests be
(including profiling). [Art 21] complied with. [DPP6, Part 5]
• No right to object to
processing (including profiling),
but may opt out from direct
marketing activities [ss.35G
&35L] and PDPO contains
provisions regulating data
matching procedure. [ss.30-31]
25
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Certification, Seals, and Mechanisms are explicitly No formal recognition of
recognised and established for certification or privacy seals
Codes of Conduct demonstrating compliance by mechanisms for demonstrating
data controllers and processors. compliance. The Privacy
[Art 42] Commissioner may approve
and issue code of practice after
consultation. [s.12]
Industry resources:
• Code of Conduct for GDPR Compliance (issued by the Cloud Security Alliance
(CSA) in Nov 2017): https://gdpr.cloudsecurityalliance.org/
• EU Cloud Code of Conduct (May 2017): https://eucoc.cloud/en/home.html
26
PDPO – GDPR Comparative Study
Major differences between PDPO and GDPR:
EU HK
Cross-jurisdiction Certification and adherence to Certification and adherence to
approved codes of conduct are an approved code of practice are
Data Transfer explicitly made one of the legal not explicitly made a legal basis.
bases for transfer. [Art 46]
28
“European Union General Data Protection Regulation 2016” Booklet
www.pcpd.org.hk//tc_chi/resources_centre/publications/files/eugdpr_c.pdf www.pcpd.org.hk//english/resources_centre/publications/files/eugdpr_e.pdf
29
Access by Law Enforcement
Agencies
30
United States v Microsoft
(US Supreme Court case)
• Objective: makes it easier and faster for police and judicial authorities to access
the electronic evidence (e.g., emails, texts or messaging apps) they need in
investigations
• A judicial authority in one Member State can obtain electronic evidence directly
from a service provider (or its legal representative) in another Member State,
regardless of the location of data
• Service providers are obliged to respond within 10 days, and within 6 hours in
cases of emergency
• A service provider that offers services in the EU but without a presence in the
EU is still subject to the same obligations 32
Accountability & Ethics
33
Mishandling of Personal Data
37
Profiling
Re-identification
38
Inaccurate Inferences and Predictions
✘Data Accuracy
Filter Bubble
Interference in Elections…
39
Why Accountability?
Regulator Company
40
Mechanics of Accountability
Voluntary/Self-Regulatory
Education → Incentivise
or
Mandatory
Accountability?
41
Data Ethics and Trust
Data
Ethical Obligations
• No Surprise to Consumers
• No Harm to Consumers
42
Building Confidence and Trust
Short term actions:
Data users
• Be transparent
• Obtain meaningful consent
• Report data security incidents without
delay
personal data
44
歐洲聯盟 歐洲聯盟
《通用數據保障條例 2016 》 《通用數據保障條例 2016 》
小冊子 – 中文版 小冊子 – 英文版
45