Legal And Market Insights - New Regulation And Headlines Around Data Protection & Cybersecurity

Legal News & Analysis - Asia Pacific - Hong Kong - China - Cybersecurity - Regulatory & Compliance

26 September, 2019




Cyberspace Administration of China invites public comments on draft Measures on Security Assessment of the Cross-border Transfer of Personal Information


On 13 June 2019, CAC invited a new round of public comments on the draft Measures following earlier invitations. The Measures were promulgated in light of the controversial data localisation requirement introduced by China's Cybersecurity Law which came into effect on 1 June 2017. The Measures, if enacted, would reinforce the requirement by requiring all "network operators" in China, broadly defined as network owners, managers and service providers, to apply to local authorities for security assessment and seek their approval prior to any cross-border transfer of personal information. Local authorities would be given powers to ban any transfer which may endanger national security or public interest or which ineffectively safeguards personal information. The wide application of the Measures and their intricate criteria of security assessment may significantly impact cross-border flows of personal information from China.


CAC announces implementation of the Regulation on Children's Personal Information and Online Protection in October 2019


On 22 August 2019, CAC announced that the Regulation will come into force on 1 October 2019. The Regulation would require network operators in China to comply with specific requirements on personal information collection, retention, use, disclosure and transfer when processing personal information of children under the age of 14. Operators should process information in compliance with principles of legitimacy and necessity, consent, purpose specification, security protection and lawful use. Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), in comparison, does not carve out a separate regulatory regime for children. The Regulation also imposes certain obligations on network operators which are not present in the Ordinance, including reporting breach incidents to supervisory authorities and affected data subjects, adhering to information deletion requests, and conducting security assessment prior to transferring information to third parties.


Hong Kong


Takeaways from Hong Kong Privacy Commissioner's keynote speech in Singapore 2019 Asia Privacy Forum of the IAPP


On 15 July 2019, Hong Kong Privacy Commissioner Mr. Stephen Kai-yi WONG gave an opening keynote speech at the Singapore 2019 Asia Privacy Forum of the International Association of Privacy Professionals (full text here). The Commissioner noted that given the legislative fragmentation in global data protection and rapid ICT developments, meeting regulatory requirements alone would not be effective enough for businesses to adequately protect personal data privacy and meet individuals’ expectations. Instead, businesses should engineer accountability and data ethics into their operations and strengthen their corporate governance to protect privacy. The Commissioner also remarked on how Hong Kong's comprehensive data protection law has transformed Hong Kong into China's regional data hub and an innovation centre.


Hong Kong Privacy Commissioner publishes the investigation report on Cathay's data breach incident


On 6 June 2019, Hong Kong Privacy Commissioner Mr. Stephen Kai-yi WONG published an investigation report on the data breach incident involving the personal data of approximately 9.4 million passengers of Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited. The companies were found to have breached their obligations on retention and security under Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486), as well has being found to have a lax attitude towards data governance which fell well short of community and regulator expectation, and were directed to take remedial actions as specified in the Commissioner's enforcement notice.


Notably, despite there being no statutory requirement on data breach notification currently in Hong Kong, the Commissioner remarked that the companies could have had given earlier notification to affected passengers to meet their legitimate expectations. It has been reported that several class action lawyers in the US and Europe have been preparing class action claims against Cathay Pacific since the data breach was announced, moves that will only be encouraged by the Commissioner’s findings.



For further information, please contact:


John Koh, Director, Osborne Clarke