Date: 28 September 2017
Connecting West with East in Protecting and Respecting Data Privacy Equitable Data Privacy Right Advocated
(28 September 2017, Hong Kong) The office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) is honoured to host The 39th
International Conference of Data Protection and Privacy Commissioners (“ICDPPC”) at Kowloon Shangri-La, Hong Kong from 25 to 29 September 2017. With the theme “Connecting West with East in Protecting and Respecting Data Privacy
”, the Conference has brought together more than 750 representatives from Data Protection Authorities (“DPAs”), policy makers, government and business leaders, information and communications technology (“ICT”) professionals as well as academia and privacy advocates from over 60 countries or regions for in-depth discussions on emerging issues on data protection, exchanging innovative strategies and ideas as well as addressing future challenges.
The Guest of Honour and Secretary for Justice of Hong Kong SAR, The Honourable Rimsky Kwok-keung YUEN, kicked off the Open Session of the ICDPPC today, in which local members of the public participated, together with the Chair of ICDPPC Mr John Edwards and the Privacy Commissioner for Personal Data, Hong Kong (“Privacy Commissioner”) Mr Stephen Kai-yi WONG.
In his welcoming remarks, the Privacy Commissioner started by saying, “I am most encouraged to see many of the participants here today come from the emerging economies in the region.”
The Privacy Commissioner continued to say, “We in Hong Kong and the mainland of China have had a data evolution. Out of its population of 7.4 million, Hong Kong has 14.5 million mobile SIM cards in active use, of which 7.5 million with 4G services. In both Hong Kong and the mainland China, extensive use of ICT has led to the creation of location data or metadata in a massive scale and at an unprecedented speed. Extensive collection of personal data, in conjunction with sophisticated data mining and profiling techniques, may expose your innermost secrets, or intimate space, and the results of the analytics can often be biased or embarrassing, often without your knowing it.” He further quoted a case in Hong Kong where data was unfairly collected and used and insecurely transmitted in activities relating to the election of Hong Kong’s Chief Executive, and said he would issue revised guidelines in relation to election activities involving personal data and digital identity management.
The Privacy Commissioner elaborated that the global privacy landscape has changed phenomenally since the implementation of the 1980 OCED Guidelines and the EU Data Protection Directive 1995 which shaped many data protection regimes, including the one in Hong Kong. “The key challenge is how to apply the core principles in data privacy protection which value individual’s autonomy and control over his personal data when facing the reality.” The Privacy Commissioner took this opportunity to share the initial observations of a comparative study carried out by his office between the European Union (“EU”)’s General Data Protection Regulation (“GDPR”) (which will come into effect in May next year) and the Personal Data (Privacy) Ordinance with the Conference attendants, with areas of “notice and consent”, “accountability”, “sanction” and “extra-territorial application” covered. He said his office will publish guidance and organise seminars to help organisations understand the GDPR’s standards.
For “notice and consent”, given the notion has been incorporated under the current Hong Kong law, the Privacy Commissioner envisaged that there is no pressing need to change the law. “That said, we are mindful that data subjects should be given realistic and informed choices, so that there will not be any surprise.” The Privacy Commissioner said.
Regarding Accountability, the Privacy Commissioner further illustrated that “accountability and governance may well be a way out for data protection in the ICT age. Although the accountability principle is not expressed in our law, my office has launched the Privacy Management Programme to encourage organisations to adopt a paradigm shift from compliance to accountability. Explicitly incorporating the accountability principle and certification regime in our law are worthy of further exploring.”
For Sanction, The Privacy Commissioner shared that the EU’s GDPR has set a good example for the legal framework of penalising breaches, with an administrative fine up to 20 million Euros, or 4% of the total worldwide annual turnover of preceding financial year, whichever is higher, shall be imposed for serious breaches of the GDPR. “This is an area that we as regulator in Hong Kong would like to revisit with a view to taking the case further.” The Privacy Commissioner said.
The Privacy Commissioner also raised that the GDPR has explicitly strengthened its scope to non-EU organisations so long as the processing activities are targeting the EU data subjects. When personal data privacy protection becomes borderless, interoperability of data protection laws and cooperation of data protection authorities are crucial. To conclude on extra-territorial application, the Privacy Commissioner said: “International cooperation should not be limited to enforcement, but also promotion and facilitation of compliance.”
Belt and Road initiative
The Privacy Commissioner stated that cross border or cross boundary flows of personal data originating from jurisdictions with different cultural backgrounds and regulatory regimes is envisaged: “Given the irreplaceable attribute of Hong Kong in respect of the free flow of information, which finds its enabling environment on the protection of freedoms and human rights as guaranteed under the Basic Law, including the working implementation of our data protection law and framework, we are well poised to help make Hong Kong the Belt and Road Data Centre within one country but outside the jurisdiction of the mainland of China, if not a global Data Hub.”
From Structure to Culture and Ethics
The Privacy Commissioner stressed: “Given that data is a sustainable resource, we need to have trust. One of our common values is without a doubt the interoperability and interconnectivity to ensure that personal data privacy is not only duly protected but also duly respected. This requires the engagement of all parties – individuals (the data subjects), organisations (the data users, controllers or processors) and the regulators.”
To conclude, Mr Wong said, “meeting the legal requirements of compliance and accountability to recognise the intrinsic values of data privacy rights would be improved by the ethical approach including a fair and ethical use or processing of data. Data users need to add value beyond just complying with the regulations. Perhaps it is high time we developed an equitable data privacy right for all stakeholders.”
The five-day Conference consisted of two major parts: a Closed Session for the ICDPPC members and observers, and an Open Session (28 and 29 September) to be attended by all in the data protection community including data controllers, privacy related enterprises, business entities, professionals and academia. It presented an international panel of 60 distinguished speakers, panellists and moderators.
Four main themes will be emerged from the Open Session to be held today and tomorrow (28 and 29 September):
1) Data Protection in Asia
– Prominent speakers and privacy regulators from a number of Asian authorities will highlight the features of privacy culture and the data protection regimes in their own jurisdictions. Differences in privacy culture between the West and the East, changes in public views on privacy, and whether western models of data protection are applicable, and being applied, in Asia and other parts of the world will also be discussed.
2) Notice and Consent
- Break-out sessions covering topics on “Notice and consent from India to Japan”, “Bridge building”, “Accountability at the basis for governance when consent is not enough” and “Latin America’s way to deal with the governance when consent is not effective” will be staged, followed by a plenary session that will bring together all the ideas raised during the break-out sessions.
3) Cross-border Data Transfer
– Interplay between personal data protection and cross-border / boundaries data transfer, focusing especially on data transfers to and from Asia and other regions of the globe will be discussed. A case study of Hong Kong to explain the essentials of a global data hub will also be covered.
4) Challenges of New Technology
– Topics to be covered would include AI, digital economy, cybersecurity, digital identity management, privacy and encryption and human right defenders.
The ICDPPC was first convened in 1979 and has enjoyed the reputation of a major event in the privacy world. This year, the Conference is held again in Hong Kong after 18 years, and is included as one of the celebration events of the 20th
anniversary of the establishment of the Hong Kong SAR.
- END -
For more information about The 39th
ICDPPC, please visit: https://www.privacyconference2017.org
Photo 1：The Guest of Honour and Secretary for Justice of Hong Kong SAR, The Honourable Rimsky Kwok-keung YUEN (middle), kicked off the Open Session of The 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) today (28 September 2017), together with the Chair of ICDPPC Mr John EDWARDS (left) and the Privacy Commissioner for Personal Data, Hong Kong Mr Stephen Kai-yi WONG (right).
Photo 2：The Guest of Honour and Secretary for Justice of Hong Kong SAR, The Honourable Rimsky Kwok-keung YUEN, delivered the opening speech at the ICDPPC.
Photo 3：Privacy Commissioner for Personal Data, Hong Kong Mr Stephen Kai-yi WONG delivered the welcoming remarks at the ICDPPC.
Photo 4：This year, The ICDPPC has brought together more than 750 representatives from Data Protection Authorities, policy makers, government and business leaders, information and communications technology professionals as well as academia and privacy advocates from over 60 countries or regions to Hong Kong.