Could GDPR-style turnover fines be coming to Hong Kong? It's a strong possibility. Infosecurity Magazine reports as follows:
Hong Kong is set to follow the lead of European regulators in applying tougher penalties for data protection infractions, following a serious breach at airline Cathay Pacific in 2018.
Proposed amendments to the regional government’s Personal Data (Privacy) Ordinance, which cited the GDPR, would see fines levied as a percentage of global turnover, according to reports.
The privacy commissioner may even be given powers to levy fines immediately depending on the severity of an incident, without first needing to issue an enforcement notice.
The proposals would also mandate breach notifications to the commissioner within five days, a couple of days longer than GDPR rules but still an improvement on the current situation.
The breach of Hong Kong’s national carrier two years ago, which affected over nine million customers, shone a light on the inadequacies of the Special Administrative Region (SAR)’s existing data protection regime.
It took Cathay seven months to report the incident, although it was under no legal obligation to do so at all.
The privacy commissioner was powerless to levy fines: instead, the only option was an enforcement notice citing violation of privacy laws and ordering the firm to improve its cybersecurity posture. Failure to comply with the order leads to a fine of just HK$50,000 ($6433).
Rights groups have written to Hong Kong’s Legislative Council (LegCo), arguing that the proposals still don’t go far enough.
(Privacy press clipping sourced via Infosecurity Magazine)
Jurisdiction: Hong Kong SAR China
Deliberations by Hong Kong’s lawmakers are further evidence of the GDPR being regarded as the global ‘gold standard’ for privacy law. In particularly, legislators and policy makers are attracted to the large, dissuasive fines that the GDPR offers – up to 4% of global turnover. Privacy advocates would likely argue that the Hong Kong government is not serious about privacy unless serious fines are part of the package.
The main reasoning behind such fines is that they get CEOs and Boards to sit up and take notice. A 4% turnover fine, for instance, could easily make the difference between a loss or a profit in a given year and would have a clear balance sheet impact. Large fines also need to be reported to the market by publicly-listed companies when they are imposed.
The case in point for Hong Kong is reportedly the Cathay Pacific data breach, in which Turkey imposed a fine but the local privacy regulator was powerless to do so.