Face to Face with Ada Chung Lai-ling

Ada Chung, who was appointed as the Privacy Commissioner for Personal Data last September, already has an accomplished career till date. Besides being a qualified barrister and a Certified Public Accountant, Chung has also held numerous prestigious positions such as the Registrar of Companies as well as Principal Government Counsel and Deputy Law Officer for the Department of Justice. During her time as the Registrar of Companies, Chung was significantly involved in the rewrite of the Companies Ordinance and was at the forefront of the implementation of the new Companies Ordinance. However, the role she began in September last year might be one of the most consequential of her career so far.

Enforcing, Educating and Facilitating

Maintaining a delicate yet effective balance between being an educator of the importance of personal data, and facilitating and enforcing data protection, Chung says the PCPD’s role essentially covers three important areas.

The first is enhanced enforcement. “As an enforcer, we will continue to enhance our enforcement efforts and our collaboration with other law enforcement agencies, both local and outside Hong Kong,” Chung states. “We will also take targeted enforcement measures proactively to ensure compliance.” These include, for example, the proactive surveillance of personal data risks online, monitoring of online social media to combat doxxing and monitoring of any activities which involve large-scale collection and use of personal data.

Then, there are promotion, publicity and education. “In our role as an educator, we will continue with our work in promoting compliance with and publicising the requirements under the Personal Data (Privacy) Ordinance (PDPO), and educating the public on matters relating thereto,” Chung states. The PCPD aims to hold thematic seminars and promotional activities from time to time and one of Chung’s plans for 2021 is to collaborate with educational institutions to prepare materials that help promote basic moral values relating to privacy among the younger generation.

Finally, there is a facilitating role. “The accelerated technological developments brought about by the pandemic has posed unprecedented risks to the protection of personal data privacy. I believe that while we should ensure that privacy concerns are properly considered and addressed in any new technological initiative, a proper balance has to be struck between leveraging on new technological advancements for the benefit of the society and the protection of personal data privacy,” Chung shares. In the PCPD’s role as a facilitator, it has been advocating “privacy by design” and adherence to legal requirements and good data ethics in the development of any new initiative. More recently, the PCPD has successfully secured the passage of an accountability framework in the use and development of artificial intelligence at the Global Privacy Assembly.

New Role, New Goals

Chung says she has several key goals to achieve during her five-year term at the PCPD. One of them is to combat doxxing, the malicious Internet-based practice of researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual. The PCPD aims to contain doxxing in the city by strengthening its collaboration with various regulatory authorities and trade associations. “As a result of our efforts, for example, the Hong Kong SAR Licensed Money Lenders Association Ltd. has appealed to all its members to tighten up their customer due diligence and verification procedures to prevent identity thefts,” Chung shares. Furthermore, The Department of Health has posted a warning notice on its website for “registration of organ donation to deter people from using the personal data of others to make organ donation.”

“The PCPD has also strengthened its collaboration with the Police and maintained close dialogue with the Hong Kong Monetary Authority to remind banks and the financial community to take precaution on the related business risk of unauthorised credit applications perpetrated through use of stolen personal data,” Chung shares.

Chung notes, however, that while the PCPD recorded a sharp increase in doxxing incidents since June 2019, there was a decline in the number of doxxing cases in 2020. “In 2019, we handled more than 4,300 doxxing-related cases and in 2020, we handled just over 1,000 cases,” she notes, adding that she believes that publicity and enforcement efforts and, in particular, the convictions in a number of doxxing-related cases in late 2020, certainly helped send a clear message to the community that the cyber-world is not beyond the law, and hence helped deter people from carrying out such actions.

Recalling the spike in doxxing related incidents in 2019, Chung shares how “the huge number of complaints [had stretched the PCPD’s] resources to the limit” and how it was compelled to “re-deploy staff internally to handle the complaints”. The handling of the complaints also highlighted the lack of criminal investigation power and lack of prosecution power the PCPD holds, which meant that over 1,400 cases were referred to the police for their investigation and consideration for prosecution. “We also do not have statutory power to request the removal of doxxing materials from a website and, from time to time, we have to write to the relevant platform operators several times to secure a removal of doxxing materials or seek assistance from regulatory authorities overseas.”

A number of court rulings in recent months also reflect the PCPD’s work in combatting doxxing. “In November 2020, for example, we secured the first conviction under section 64(2) of the PDPO for doxxing and the defendant in that case was sentenced to 18 months’ imprisonment for the offence. In January 2021, there was a second conviction under section 64(2) of the PDPO for doxxing,” Chung highlights. “Between October and December 2020, there were also three convictions for civil contempt of court for breaches of the interim injunction orders against doxxing of police officers.”

As part of its publicity and educational efforts, the PCPD has introduced a new webpage titled “Say ‘No’ to Doxxing” to elaborate on the potentially serious legal consequences of the deed. In January 2021, Chung’s Office also set up a hotline to receive enquiries or complaints about doxxing behaviour.

Another key goal for Chung has been to consider and assess the impact on personal data privacy of various existing or upcoming anti-pandemic measures introduced by the Government to contain the spread of COVID-19. Chung’s team has spared no efforts in providing practical guidance to the public on the protection of personal data in the new normal. For example, when schools resumed face-to-face classes in phases from 23 September 2020, the PCPD published a Guidance for Schools on the Collection and Use of Personal Data of Teachers, Staff and Students during COVID-19 Pandemic on the same date.

Personal Data in Light of Work-From-Home Arrangements

The outbreak of COVID-19 has compelled organisations in the city to adopt a work-from-home (WFH) policy since early 2020, resulting in personal data becoming more susceptible to breach than ever before. In November 2020, the PCPD issued three Guidance Notes under the series of “Protecting Personal Data under Work-from-Home Arrangements” to provide practical advice to organisations, employees and users of video conferencing software to enhance data security and the protection of personal data. “We have disseminated the Guidance Notes through targeted and mass media channels so that our practical advice could reach institutional data users as well as members of the general public,” Chung shares. Copies of the Guidance Notes have been sent to chambers of commerce, educational institutions and professional bodies and advertorials have been placed in newspapers. “The Guidance Notes have received positive feedback from stakeholders so far, who consider the guidance helpful, practical and timely. Meanwhile, our complaints and data breach notification figures suggest that privacy risks arising from WFH arrangements were well contained,” she adds. As of 31 January 2021, the PCPD has received only three data breach notifications and two complaints relating to WFH arrangements.

In July last year, the PCPD issued a joint open letter to companies providing video teleconferencing services, reminding them of their obligations to comply with the relevant privacy laws and handle people’s personal data responsibly. The challenges Chung’s office is facing in relation to the protection of personal data privacy in the use of video conferencing services primarily “relate to the lack of extraterritorial application of the PDPO because practically the operation of all the relevant service providers are located outside Hong Kong,” Chung explains. “That’s why we have collaborated with the data protection authorities in five other jurisdictions to engage five major video conferencing service providers to ensure that there are proper policies and measures in place to safeguard the collection, holding, processing and use of personal data.”

Another challenge for Chung’s team is to understand the intricate, and often very complicated, technological infrastructure which underlies the provision of such services along with the different data protection policies, practices and measures adopted by different service providers.

Besides data privacy issues arising out of WFH arrangements, there are other issues arising from the pandemic such as children’s privacy and the collection of data from employees and customers. “The COVID-19 pandemic has brought about unparalleled disruption of our daily lives,” Chung shares. “Striking a proper balance between privacy right and the protection of public health poses a real challenge to decision makers in both public and private sectors.”

As part of its role to monitor and supervise the implementation of the PDPO, Chung’s team has been providing its views to the Government, public institutions and private organisations on the introduction of new public health measures. It has also compiled a Compendium of Best Practices adopted by different jurisdictions in response to COVID-19 in the areas of, for example, contact-tracing and sharing of personal data among authorities, amongst others.

To assist organisations and individuals in the handling of personal data in different situations during the pandemic, other than Guidance Notes, the PCPD has issued a number of advisories through media statements on various topics. These include, for example, guidelines on children privacy during the pandemic, guidance for employers and employees on the collection of health data of employees, and practical advice to premises operators on temperature measurement and collection of relevant personal data.

Data Privacy Laws Today and Beyond

The heightened use of data and an increased understanding of its power have made transparency and protection even more important today. On asked how she sees data privacy laws such as the PDPO developing over the next ten years, Chung believes that “with the accelerated pace of technological development, the increasing use of big data, artificial intelligence, biometric data, online social media and other new technologies, issues relating to the protection of personal data privacy would be omnipresent in the coming decades.”

Chung elaborates on how “data protection authorities around the globe are facing unprecedented challenges nowadays in the light of the myriad of new and emerging issues.” Over the next decade or so, “new data privacy laws are likely to be introduced in different jurisdictions to regulate matters relating to, for example, the collection, holding, processing and use of biometric data, the disclosure or use of personal data online, both by netizens and platform operators, the protection of children privacy and requirements relating to accountability, data protection by design and by default in the development of new technological tools,” she adds.

When prompted to share her thoughts on how the legislative reform to data privacy landscape in Hong Kong can take into account the laws of other advanced economies (such as Europe, which has the General Data Protection Regulation (GDPR)), Chung says that “when we are considering the local regulatory environment, it is important that we take into account local circumstances and development as well.”

Chung shares that the Government and the PCPD have been studying concrete proposals in amending the PDPO with a view to further consulting the Legislative Council on the proposals. Some of the topics under review include the introduction of new offence provisions and new powers to more effectively combat doxxing, the introduction of mandatory data breach notification requirement and an administrative fine regime as well as empowering the PCPD to carry out criminal investigation and institute prosecutions.

The Legal Profession and the PCPD

With legal professionals having access to a vast amount of personal data, Chung believes it is of utmost importance for them to understand and uphold the PCPD’s mission. “I believe that as part of their work, lawyers handle a vast amount of sensitive and highly confidential personal data on a daily basis, such as the personal data involved in any property or commercial transactions, or in the handling of family or marital disputes,” Chung says. She believes it is therefore critical for lawyers and law firms to pay heed to the requirements of the PDPO and the six Data Protection Principles and pay attention across all activities in relation to data such as collecting, holding, processing and using personal data as well as ensuring the use of data for the purpose(s) for which they were collected, putting in place adequate security measures to prevent the loss or unauthorised leakage of data and ensuring that the data is not kept longer than is necessary.

“It is equally important for lawyers to raise the awareness amongst their clients, or the organisations in which they work, to the legal requirements governing the protection of personal data, and for legal advice on the requirements of the PDPO be given whenever necessary,” Chung says.