HK privacy watchdog mulls penalty mechanism for institutions’ data breaches

Hong Kong’s privacy watchdog is considering introducing an administrative penalty mechanism to punish institutions for privacy breaches.

This comes as the Office of the Privacy Commissioner for Personal Data (PCPD) has recorded 97 data breach incidents in the first half of the year. The ratio between the public and private sectors experiencing these breaches is 3:7, while the number of incidents increased by 70% in the second quarter.

Speaking on i-CABLE’s programme Let's Talk (有理有得傾), Ada Chung, the privacy commissioner for personal data, said there is a lack of security awareness among institutions when it comes to protecting personal data. The PCPD is studying amendments to the legislation that will allow it to directly penalise non-compliant institutions, thereby increasing the deterrent effect.

According to Chung, the proposed penalty mechanism will depend on various factors. These include determining the appropriate penalty amount, which will be based on the scale of the breach.

“The sensitivity of the data involved is also crucial, such as whether medical records are exposed, as well as whether the breach is due to the institution's error, an employee's mistake, or an isolated incident. All these elements will be taken into account comprehensively," she added.

Meanwhile, Chung said the PCPD has received around 600 inquiries from citizens over the past half-year. They are concerned about their personal data being stolen and used for fraudulent purposes. Many scammers often use text messages, emails, or phone calls to obtain personal information, sometimes even mentioning the recipient's name to build credibility.

A spokesperson from the PCPD told MARKETING-INTERACTIVE that implementing an administrative penalty mechanism would increase the deterrent effect of the Personal Data (Privacy) Ordinance (PDPO). "The PCPD would consult the government once the concrete proposals for legislative amendments are formulated."

Don’t miss: HK privacy watchdog releases first set of AI data protection guidelines

Back in June, the PCPD released the city’s first set of personal data protection guidelines for companies using generative AI services, so that organisations can harness the benefits of AI while safeguarding personal data privacy.

Chung said on the programme that, some people may inadvertently provide personal information to AI systems. Once this data is stored, it depends on the algorithm used. If a third-party user then queries the AI system, the systems may provide that personal data to the third party, which would constitute a data breach incident.

Related articles:

HK privacy watchdog orders crypto project Worldcoin to cease operations
Meta should allow users to opt out of targeted advertising for free, says EU privacy watchdog
HK privacy watchdog opens probe into Worldcoin amidst iris-scanning fears