The End of an Era: Outgoing Hong Kong Privacy Commissioner in Flurry of Activity in Last Months in Office

Gabriela Kennedy, Partner, and Karen H.F. Lee, Associate, Mayer Brown JSM, Hong Kong

On 4 August 2015, Mr. Stephen Kai-Yi Wong took office as the new Privacy Commissioner of Hong Kong. Mr. Wong replaced Mr. Allan Yan-Wang Chiang, following the completion of his five year term.

Leaving with a Bang

Former Privacy Commissioner, Allan Chiang, kept himself very busy in the months leading up to the end of his term in the office. In July 2015 alone, his office issued: (i) an Information Leaflet on minimising data privacy risks when using smartphones; (ii) an Information Leaflet on cloud computing; (iii) a Guidance Note on the collection and use of biometric data; and (iv) a media statement urging the government to tighten controls over the protection of personal data on public registers in the current era of big data.

Mr. Chiang’s tenure as the Privacy Commissioner will be remembered for:

  • The launch of the Privacy Management Programme on 18February 2014, an initiative that encourages organisations to proactively embrace personal data protection as part of their general corporate governance responsibilities, rather than merely as a legal compliance issue;
  • Active participation in the Asia-Pacific Economic Cooperation (“APEC”) activities, including assisting in the drafting of the Cross Border Privacy Rules in 2011, as part of the APEC Data Privacy Framework, which promotes a consistent approach to data privacy protection in the Asia Pacific region.
  • Issuance of 17 Guidance Notes, eight Information Leaflets, one Code of Practice and two explanatory documents, many of which relate to technological advancements and their impact on data privacy (eg, mobile apps, biometric data, drones, cloud computing, use of public data) and the provision of specific guidance to certain industries (eg, the banking and finance industry, information technology service providers, the insurance industry, etc);
  • Active enforcement of the legislation, with 31 Investigation Reports out of the 44 Investigation Reports ever issued since the Personal Data (Privacy) Ordinance (“PDPO”) was enacted, being issued during Mr.Chiang’s five year tenure, with the actual number of enforcement notices peaking at 90 for the year 2014. The apex of enforcement actions was the Investigation Report that was triggered by the Octopus cards debacle, which led to amendments to the PDPO, and the referral of cases for prosecution, notably the one resulting in the first imprisonment ever for a breach of the PDPO, as a result of a false statement made during an investigation (an offence under S.50B(1)(c)(i) of the PDPO).

A New Era?

Since the changing of the guards on 4 August 2015, the Office of the Privacy Commissioner has issued the Guidance Note on Electioneering Activities (no doubt a nod in the direction of the upcoming District Council elections), and has issued statements in connection with the much publicised first conviction for a breach of the direct marketing provisions. In media interviews, the new Privacy Commissioner has stressed the need to balance the protection of individuals’ rights with safeguarding the role of Hong Kong in the global marketplace by maintaining a free flow of information. A significant emphasis will be placed on educating businesses, with the aim of moving the needle from compliance to accountability. These are well-known tunes, but the magic, as in music, will lie in their “arrangement” and the skills and technique of the “new conductor” leading our top-class orchestra for the next five years.