Guo Bing, a law professor in China, recently scored a partial court victory against Hangzhou Safari Park for the latter’s disproportionate use of facial recognition technology without his consent.
But the court upheld the park’s right to use biometric technology in business operations — a verdict against which Guo Bing vows to fight till the end. If he wins, it might become China’s first court case that rules in favor of a citizen against a data collector. The outcome may inspire a string of fresh legal challenges to government and business intrusions alike.
Few would argue that data is the most valuable commodity, and China leads the way in aggressively harvesting such resources, as many tech companies race for a competitive edge. In 2019, the so-called new economy built on the value of data now accounted for 16.3% of China’s gross domestic product.
Public places in China are now interspersed with over 20 million surveillance cameras, which amass volumes of biometric data on its citizens. In the private sector, the Chinese dependency on online shopping and mobile payments has created a treasure trove of consumer information that begets cybersecurity concerns.
Guo Bing’s case is the tip of an iceberg. An uptick of high-profile data leaks in recent years has thrust the discussion of data privacy into the spotlight. In response to the escalating public furor, China has finalized the new Personal Information Protection Law on August 20, 2021, which aims to provide overarching data-protection for Chinese internet users. The law is not all bark and no bite — as may be gleaned from the requirement for government agencies to obtain informed consent before collection as private companies. The days of unsupervised exploitation of data resources might be over. With stricter rules on privacy, tech and advertising companies will face sterner scrutiny for their data monetization strategies.
As the largest internet user market and data economy, China’s data privacy framework has extraterritorial reach to regulate cross-border processing of PRC individuals’ information for the purpose of providing products or services to them.
What does it mean for Hong Kong? After many Hong Kong businesses entered the digital market, customers begin to leave enormous digital riches that had been previously indiscernible in physical visits. Data harvesting and processing frequently pass through multiple jurisdictional touchpoints. Any Hong Kong company that serves PRC customers might soon have no choice but to comply with China’s privacy law.
Indeed, non-compliance has severe consequences. The new law lets regulators levy big penalties for violations that are comparable to those of the European Union’s General Data Protection Regulation, which is considered as the most imposing privacy law in the world.
By comparison, the failings of Hong Kong self-regulatory approach are becoming clearer by the month. In 2018, Cathay Pacific was embroiled in a massive data leak scandal that caught the attention of local media. Two years have passed, other than a hefty fine levied against Cathay’s violation by a UK privacy watchdog, the scandal has not changed the accepted calculus about the preference for self-regulation. Many companies continue to rely on arcane policies that obfuscate their data use. Internet users are inundated with highly personalized content, even against their wishes. A cursory click on a product on a search site often triggers an unwarranted series of pop-up ads for similar goods.
Despite public awakening, the Hong Kong data privacy regime is limited in its breadth and depth. Frequently maligned as a “toothless tiger,” the Hong Kong Privacy Commissioner, the lead authority on data privacy, lacks enforcement power to regulate data collection activities.
Unlike the EU law that has a mandatory 72-hour breach reporting requirement, Hong Kong does not require data collectors to notify the authority, or affected data subjects themselves, in the event of a data breach. The realistic upshot is that there is no unified approach to handle a breach. Some companies might opt for inaction in fear of severe reputational damages and regulatory sanctions. Much to everyone’s ire, it took almost four years before Cathay Pacific reported the data breach that happened in 2014. Without an agreed approach, we are all at the mercy of the potential misuse by data collectors.
Opponents of privacy law have long argued that additional regulations might impede innovation. But if trust leaches out of the system, innovation will suffer. If consumers fret about how their data is being treated, few new offerings will take off. A thriving business environment must be predicated on the trust of consumers to whom the goods and services are targeted. Indeed, Cathay Pacific has learned the consequences of not protecting consumer data the hard way. Businesses that use data ought to take heed and keep data protection at the forefront of everything they do.
As a common law jurisdiction, Hong Kong rarely looks to Mainland bureaucrats for legislative guidance. But when it comes to data privacy, the case for referencing the pertinent aspects of the Chinese approach is compelling. The need to minimize legal fragmentation between two highly integrated economies only adds to the case for Hong Kong to harmonize new privacy laws. Contrary to common characterization, with the imminent passage of the new law, China’s regime no longer represents a convenient counterargument against data protection.
The proliferation of the data economy intensifies the tug of war between data collection and privacy protection. If utilized ethically, a free flow of information can provide companies with the knowledge to improve citizens’ lives, and a more efficient government to respond to social needs. When left unchecked, governments and corporations have shown that they too are prone to exploiting the internet’s knowledge flow and abusing that power without qualms.
Hong Kong now faces a tough balancing act to allay public fears while enabling tech innovation. As Hong Kong companies race for a competitive edge in Mainland China, we cannot take a blinkered view on data privacy and operate in a regulatory state of suspension.
We need not adopt the new China law, or the EU law for that matter, wholesale. But there are arguments for using them as templates, not for relying on an ineffectual legislative patchwork or ignoring the issue of data protection altogether. A new legal regime would help create a business environment in which users can safely determine where and with whom to share their own information. To legislate for this future that is already upon us, we need to stop improvising but start planning.