bodyType

customContents

entityId

entityUuid

articlePageQuery

filter

article

articleBaseAdvertisingInfoArticle

articleListArticle

articleSeoArticle

helpersCheckIsPostiesArticle

hooksArticleAcknowledgementGateOverlayArticle

hooksTrackPageViewArticle

hooksContentInterestArticle

articleLinkingDataContent

articleSchemaContent

liveArticle

advertZone

sentiment

contentLock

topics

types

sections

moreOnThisArticles

urlAlias

commentCount

sponsorType

authorLocations

authors

paywallTypes

corrections

displaySlideShow

multimediaEmbed

printHeadline

seriesContainer

socialHeadline

headline

flag

firstTopic

glossary

flattenTypeIds

publishedDate

additionalInfoBoxes

images

image

relatedLinks

relatedNewsletters

__typename

createdDate

sponsor

factSheets

series

disableOffPlatformContent

published

updatedDate

summary

subHeadline

body

keywords

copyrighted

customTimezone

liveContents

Sum Lok-kei

The head of Hong Kong’s data privacy watchdog said on Tuesday that he would review a 22-year-old data protection law following a series of “major data leaks” in the city that affected more than half a million people.
As well as a recent hack into an inactive database owned by Hong Kong Broadband Network (HKBN) that held information on 380,000 customers, a number of cyberattacks also targeted databases belonging to travel agencies, involving some 220,000 clients.
Private information such as credit card details, home addresses, names and ID card numbers could have been compromised in the hacks.
Speaking on an online programme hosted by former lawmaker Emily Lau Wai-hing, Privacy Commissioner for Personal Data Stephen Wong Kai-yi said it was time to review the Personal Data (Privacy) Ordinance, which came into force in 1996.
The legislation was last updated in 2012, but with a focus only on direct marketing.

“The European Union has a new regulation next month, we also see some major data leaks in Hong Kong and [on an] international level … I think it is time,” Wong said.
The commissioner said his office would study if enough protection was provided to citizens, and also look at global trends.
Broadband provider to revamp way it stores customer information after data breach
Wong said the city’s ordinance was based on the EU’s Data Protection Directive, due to be replaced by the General Data Protection Regulation next month.
The commissioner also admitted his office’s enforcement power was lower than other regulatory bodies in other countries.
“Lawmakers think our enforcement power has to be increased. I see their point,” Wong said.
According to current regulations, a company will only be prosecuted if it refuses to take corrective measures to ensure the data privacy of its clients.

Violation of the Personal Data (Privacy) Ordinance can lead to a fine of HK$50,000 (US$6,375) and imprisonment for up to two years.
Apart from upping the penalty, which Wong said the public had called for, it was also important to teach companies to be ethical and respectful of clients’ data privacy, he said.
HKBN on Monday announced it would purge the data of 900,000 former customers and reduce its information retention period from seven years to six months in the wake of last week’s hack. Wong said he was satisfied with the remedial actions. 
Hong Kong privacy watchdog blasts electoral office for massive data breach
Wong also said the law “doesn’t say how long you can or you should keep personal data”, but added companies “should not retain or keep personal data longer than necessary”.
A spokesman from the Office of the Communications Authority did not say if HKBN’s new policy was in line with regulations, only that the company should ensure that it was.

Information technology sector lawmaker Charles Mok agreed the privacy law should be reviewed by increasing the penalty and punishing first-time – not just repeat – offenders.  
A spokeswoman for the Privacy Commissioner for Personal Data said it was important for companies to be transparent about their personal data policies and practices.
“Good governance dictates that organisations take heed of the increasing public concern that consumers’ personal data privacy should be properly protected,” she said.
She reminded consumers to read privacy policy statements before signing up for services.
A spokesman for the HKT Group, which owns internet service provider Netvigator, said customer data the group collects is used and retained in accordance with the ordinance and “applicable laws and regulations relating to data privacy”.
The spokesman, however, refused to disclose how long it kept customer records.
Hong Kong firms urged to sharpen focus on cybersecurity
A spokesman for internet service provider i-CABLE said it kept data of inactive customers for seven years.
“The data of individual customers will be deleted upon request,” he said, adding that the company reviews and updates its data protection policy on a regular basis.
The Inland Revenue Department said business records should be kept by companies for no less than seven years, including invoices, receipts, cash register tapes, banking records and cheque butts.
HKBN earlier admitted that it had mistakenly thought the seven-year rule for business records also extended to customer information.


China plans to have national data infrastructure in place by 2029

TikTok rival Kuaishou gets police warning over content moderation, child protections

Hong Kong firms urged to add AI tools to cybersecurity defences

China’s Xi pitches a ‘shared future in cyberspace’ at internet forum amid decoupling fears

Cybersecurity

Hong Kong’s privacy commissioner to review ageing data protection law after ‘major data leaks’

Hundreds of thousands of people have been affected by recent data leaks. Photo: Dickson Lee

Privacy Commissioner for Personal Data (Privacy Commissioner) Stephen Wong Kai-yi attends Privacy Commissioner End-of-year Media Gathering at the Office of the Privacy Commissioner for Personal Data in Wan Chai. 24JAN17 SCMP/ David Wong

Customers at the Hong Kong Broadband Network (HKBN) store in Fortress Hill. The company has disclosed that personal data of its customers were compromised in a hacking attack. 19APR18 SCMP / Dickson Lee

***ONE TIME USE ONLY*** BXT4XD A crdit card on a laptop

News

Hong Kong

Society

Move comes after more than half a million people in the city may have had their data stolen
