The past decade has seen a huge increase in the incidents of cyber crime in Hong Kong. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in Hong Kong. Part 6A of the PDPO requires that data users must obtain explicit informed consent of a data subject before using the data subjects personal data for direct marketing or transferring the data to a third party for direct marketing. The Securities and Futures Commission (SFC) has also issued guidance and FAQs and circulars on cybersecurity most recently in relation to internet trading, remote office arrangements, and use of external electronic data storage. She also covered the Umbrella Movement for AP and reported for a newspaper in France. making telephone calls to specific persons. There are also sector-specific guidelines, such as the Guideline on Medical Insurance Business, which advises that authorised insurers and licenses insurance intermediaries should at all times, exercise due care and diligence in collecting, handling, storing, using, transferring and erasing customers personal data and comply with the PDPO and its guidance. However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data see further question 7 below). Provision of Personal Data to a Third Party for Direct Marketing Purposes. Non-compliance with any mandatory provisions of the Code will count unfavourably against the data user both in any investigation before the PCPD, and in any judicial case related to any alleged breach of the PDPO. Prudence worked as an intern at several international law firms in Hong Kong and mainland . The Hong Kong government is planning a new law designed to make the operators of public utilities and other crucial infrastructure step up security against cyber attacks. Hong Kong PDPO Compliance and Cybersecurity Read Time: 5 min. We are expecting further updates and guidance around cybersecurity and cybercrime legislation. The publication examines the key highlights, challenges and considerations of the Law, which focus on areas like personal information protection, critical information infrastructure, network operators, preservation of sensitive information, the . On November 14, the Cyberspace Administration of China (CAC) released the draft Regulations on the Administration of Network Data Security . Further guidance can be found in the PCPDs Guidance for Data Users on the Collection and Use of Personal Data through the Internet. the offering, or advertising of the availability, of goods, facilities or services; or. Data protection authority The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk 3. The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. Extending the scope of the PDPO to identifiable persons. The Content may contain links to external websites and external websites may link to the Content. 486). In determining what constitutes practicable steps, the data user should consider: There is no statutory definition of security breaches. Organisations may need to appoint a DPO or representative under any other laws to which their activities may be subject (such as PRC law). The law has attracted significant attention and criticism from foreign companies. the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political of other purposes. While data processors are not subject to the PDPO, data users that use data processors to process personal data on their behalf (or for their purposes) are liable for any violations of the PDPO by the data processor as if they were processing the personal data themselves. A data users right to audit and inspect how the data processor handles and stores personal data. The PCPD has published Guidance for Mobile Service Operators, providing practical guidance to mobile service operators to comply with the PDPO in their business operations e.g. Our dedicated global practice is composed of more than 80 information governance, privacy and cybersecurity lawyers based in many of the world's key risk jurisdictions. Long before the Cybersecurity Law took effect, China had already made some efforts to strengthen information security. No. The general rule is that damages must compensate for actual loss, but s.66(2) of the PDPO also allows for claims for damages in respect of injury to feelings. US$1,300 US$1.3 million) and/or imprisonment for up to 6 months 5 years. The Draft Regulations are intended to implement portions of three existing laws: the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. It recommends that Hong Kong courts should have jurisdiction where there is a nexus to Hong Kong (e.g., where the victim is from Hong Kong or where damages are incurred in Hong Kong). The key personal data protection framework in Hong Kong is in the PDPO. The PDPO does not use the definition data controller. While it has yet to be determined which infrastructure or companies are considered critical, they may include public utilities, internet service providers and transport, government sources told HKFP. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions. In a typical CEO fraud scam, the scammer would usually get a good working understanding of the company's hierarchy and its money, trade and logistical movement patterns. The offence is punishable by a fine of HK$20,000. Cybersecurity. Under the New Cybercrime Offences, such a scam would constitute offences of illegal access to programs or data, illegal interception of computer data, and illegal interference of computer data. CII operators may need to undertake a significant exercise to ensure compliance with the new legislation. any person disclosing personal data obtained, without consent from the data user with intent to gain or cause loss to the data subject, or where the disclosure causes psychological harm to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.64 of the PDPO). A guide to Hong Kong's cybersecurity laws and practices Matt Bower 21 June 2021 The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. This report provides an overview of China's Cybersecurity Law, which was adopted in November 2016 and will come into effect on 1 June 2017. 625) regulates the collection, sharing, use and safe-keeping of patients health data under the Electronic Health Record Sharing System. Responses to the Consultation Paper are due on 19 October 2022. The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. The Circular sets out the SFC's key areas of concern and recommended cybersecurity controls which the LCs are expected to follow. A Q&A covering the essentials of cybersecurity in Hong Kong, including key legislation, enforcement and best practices. The past decade has seen a huge increase in the incidence of cybercrime in Hong Kong. This chapter discusses recent data privacy and cybersecurity developments in Hong Kong from July 2021 to June 2022. However, these provisions have never been brought into effect. Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions; Personal data relating to staff planning and personal references; Personal data held for the purposes of prevention or detection of crime, the apprehension, prosecution or detention of offenders and other similar provisions; Where personal data is disclosed to a data user involved in news activity and the disclosing person has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting is in the public interest; and. Yes, the PDPO draws a distinction between data users and data processors (see question 3 above). The PCPD has prepared a table summarising the various offences under PDPO and their respective penalties. Putting in place a comprehensive incident response plan. In addition to the general requirements of the PDPO, the Electronic Health Record Sharing System Ordinance (Cap. Something went wrong. While the PDPO is sometimes viewed as Hong Kong's cybersecurity law, it is in fact technology neutral and covers personal data presented in any format and form, not just digital content. A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data users instructions will be carried out). However, if there is a relationship of reward linking the payment and the commission of the offence, the payment may qualify under OSCO. Whilst these Guidelines do not have the force of law, they are taken into account by the Insurance Authority when considering fitness and properness of the directors or controllers of authorised insurers to which the Guidelines apply, and non-compliance may impact upon this. Such developments in the cyberspace stem from Hong Kong's duty under Article 9 of the National Security Law to take necessary measures to strengthen regulation over matters concerning national security (including the internet) and the potential criminal exploitation of the rapid developments in information technology, computer and computer data. Section 25 of the Organised and Serious Crimes Ordinance (Cap. a) National Cyber Security Committee. The number of cybercrime reports rose from 2,206 in 2011 to 16,159 in 2021. The PDPO does not contain specific provisions relating to childrens personal data, although the PDPO and the DPPs apply equally to such data. The introduction of the New Cybercrime Offences will provide the law enforcement agencies, and hence entities/individuals impacted by cybercrimes, with enhanced tools to pursue the perpetrators. Risk advice We help clients manage legal risks related to cybersecurity, privacy, data governance, eDiscovery, information technology, eCommerce and intellectual property. The PDPO has been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), to strengthen the protection of data subjects. Whether a security breach must be notified to the SFC will therefore depend on the extent and impact of the breach. The Cybersecurity Law of the People's Republic of China, ( Chinese: ) commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People's Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. For example, a white paper titled The Internet in China, published in 2010, served as an early guide The amendments fall into three categories: The Amendment Ordinance provides new two-tier doxxing offences as follows: Other proposed amendments to the PDPO were not included in the final Amendment Ordinance. This includes where a data user contravenes the requirements of an enforcement notice. An officer authorised by the PCPD may, without warrant and with the use of reasonable force, stop, search and arrest any person whom the officer reasonably suspects to have committed doxxing-related offences under the PDPO. Search regulations by topic. Under the "one country, two systems" approach, Hong Kong is an entirely separate jurisdiction from Mainland China and has its own privacy and cybersecurity laws. Watch this space for updates to the proposed regimes. Section 161 of the Crimes Ordinance (Cap. The PCPDs review of the PDPO includes the potential introduction of mandatory data breach notifications to both the PCPD and data subjects within a specified timeframe (still to be set). 2. International Legal Framework for Cyber Security 2.1 Political Agendas and International Law Cyber security is now routinely cited and consistently placed on the top of political agendas. Hong Kong, found on the south coast of China, the country is one of the two Special Administrative Regions in the Republic of China. II Overview of regulations related to cyber breaches in China, including Hong Kong. Our seasoned . Under the new Measures, network platform companies with access to the personal information of more than one . 2022 Hong Kong news - Independent, non-profit, impartial. Offences of a less serious nature may be dealt with summarily with a jail term of two years or less. A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO). where there was a reasonable belief that the disclosure was necessary for preventing or detecting crime; where there was a reasonable belief that the data subject gave their consent to the disclosure; where there was a reasonable belief that disclosure was in the public interest and was made for news activity purposes; and. If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use (s.35G of the PDPO). The Content is protected under international copyright conventions. Individual data privacy rights can be enforced by either: Yes. Different offences are scattered over various ordinances, including the following: The New Cybercrime Offences are as follows: The New Cybercrime Offences, except for illegal interception of computer data, come in an aggravated form if further criminal activities or a high degree of severity is involved. The PCPD has published a Code of Practice on Consumer Credit Data (which provides practical guidance to data users in handling the collection, accuracy, use, security and access, and correction related to personal data of applicants for consumer credit), and Guidance on the Proper Handling of Customers Personal Data for the Banking Industry (which provides practical guidance to the banking industry on understanding and complying with relevant data protection requirements under the PDPO, and suggested best practice for the collection, accuracy, retention, use, security of and access to customers personal data). 2. Below are some examples of criminal offences under the PDPO and their respective penalties: The sanctions introduced by the Amendment Ordinance in relation to the two-tier doxxing offences are set out in question 1 above. a data user using personal data in direct marketing without the data subjects consent (s.35E(4) of the PDPO) or without giving notice to the data subject (s.35C(5) of the PDPO) is liable to a fine of up to HKD500,000 and imprisonment for up to 3 years; a data user providing personal data to a third party for direct marketing purposes in exchange for gain, without giving notice to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.35J of the PDPO); a data user contravening an enforcement notice is liable to (s.50A of the PDPO): on first conviction a fine of up to HKD50,000 and imprisonment for up to 2 years, and a daily penalty of HKD1,000 if the offence continues; and. the purposes for which the personal data will be used; whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information; the classes of persons to whom personal data may be transferred or disclosed; if applicable, information about the use and/or provision of personal data for direct marketing; and. 13 These specific provisions relate to the Crimes Ordinance, the Telecommunications Ordinance and laws related to obscenity and child pornography. It also covers the powers available to the Privacy Commissioner for Personal Data, Hong Kongs personal data privacy regulator, and what organisations should do if a breach occurs. Although the PCPD has a statutory obligation to conduct an investigation upon receipt of a complaint, the PCPD may refuse to conduct, or can decide to terminate, an investigation initiated by a complaint under certain circumstances (s.39 of the PDPO) including: In practice, before starting a formal investigation the PCPD may conduct an informal compliance check. This website uses cookies to improve your experience. On August 20, 2021, the 30th session of the Standing Committee of the 13th National People's Congress (NPC) adopted China's new PRC Personal Information Protection Law (PIPL) 1, which will take effect on November 1, 2021. The PCPD recommends that organisations: Online tracking information held by data users should be accurate, should not be kept for longer than necessary, and should only be used for the purposes originally stated at the time of collection. However, the PCPDs Guidance on Outsourcing the Processing of Personal Data to Data Processors recommends keeping records of all personal data transferred to a third party for processing.

How To Combine Modpacks On Curseforge, Steel I Beam Load Capacity Calculator, Novelist Scott Crossword, Diatomaceous Earth For Fungus Gnats In Houseplants, Freshwater Environment Characteristics, Suncast Border Stone Edging 10 Ft,