Amendments to Hong Kong Data Protection Regulation to Widen the Definition of “Personal Data” – Portion 5 of 6 | Bryan Cave Leighton Paisner

Summary

Hong Kong proposes to widen the current definition of “personal data” to cover not just “identified” people but also “identifiable” folks. The amendment is expected to deal with the use of on the internet monitoring systems this sort of as net cookies to the extent that they make it fairly attainable for folks to be recognized.

This submit is the fifth in the series of six content in which we explore the proposed amendments to the knowledge security regime in Hong Kong.

This article deals with that part of the proposed amendments to the Individual Knowledge (Privateness) Ordinance (“PDPO”) that are aimed at widening the definition of “personal data”.

See backlinks below for our prior articles or blog posts on the proposed amendments:

Introduction

There is no uncontested and extensively coherent definition for “personal data”. Jurisdictions all-around the world just about every adopt a definition which is thought to be most ideal for their demands. Hong Kong normally takes the perspective that it is critical to undertake an proper definition of “personal data” which accords with the present-day technologies in information analytics and information collection, so as to make certain that the information privacy law supplies plenty of protection to shield private information.

In mild of the growing attractiveness in the use of tracking technologies and facts analytics, Hong Kong has proposed to widen the recent definition of “personal data” below the Own Information (Privateness) Ordinance (“PDPO”) to fulfill general public expectation in direction of the security of particular information.

The current definition and its deficiencies

Under the current PDPO, “personal data” signifies any information and facts (a) relating to a living particular person (b) from which it is practicable for the identity of that specific to be ascertained and (c) which comes in a sort in which entry to or processing of the facts is practicable.

To put it simply, the PDPO now handles personalized details which relates to an genuine living man or woman whose id can be ascertained, i.e. an “identified” person.

The existing definition of particular info does not protect circumstances exactly where the details consumer has manage of descriptions or identifiers which just point to or are relatable to a man or woman, i.e. details which relate to “identifiable” persons. With the use of present day facts processing technologies, it has come to be feasible for info buyers to hyperlink information and facts this kind of as residential addresses, IP addresses, and web page cookies to discover people. If this information held by a data consumer accretes so as to permit the id of a particular person to be ascertained, it is thought by Hong Kong that these facts must be controlled and protected less than the PDPO.

Illustrations from other jurisdictions

The correct new definition for “personal data” has not however been printed. The Hong Kong govt has taken reference from different overseas regulatory regimes which expressly control data relating to “identifiable” persons, and possible will formulate a related definition which aligns Hong Kong’s regulation broadly with current international standards.

Under are some illustrations of what other jurisdictions are regulating:

• Canada and New Zealand: data about “identifiable” men and women.
• Australia: info about “identified” persons and people today who are “reasonably identifiable”.
• The EU: data about “identified” and “identifiable” persons.

Observe that Australia’s info privateness regulation distinguishes amongst people today who are “potentially identifiable” and all those who are “reasonably identifiable”. Only the latter falls underneath its definition of “personal information”. Whilst it technically may possibly be achievable for a info person to determine an specific from the assortment of information it retains, the identification course of action expected to determine an personal could arrive with an unreasonable expense or problems. If that is the situation, the personal only is “potentially identifiable” and Australia has made the decision not to contain this sort of information in its definition of “personal information”¹.

On the other hand, the GDPR of the EU regulates information relating to “an identifiable pure person”. It refers broadly to all-natural persons who, “directly or indirectly”, can be recognized. The GDPR helps make distinct references to identifiers (these kinds of as names, site facts and identifiers) and different aspects distinct to the id of a individual, but does not limit itself just to these identifiers. An element of reasonableness is existing in the word “indirectly”. Oblique identification of an specific falls under the ambit of the GDPR if the data controller may discover an individual by employing other info it holds or data it fairly can accessibility from one more resource. This is supposed to include adaptability to the provisions so that it captures also systems designed in the future which allow dwelling individuals to be identified in new approaches.

Primarily based on the higher than, we count on that an ingredient of reasonableness very likely will be existing in Hong Kong’s new widened definition of “personal data” when it is manufactured general public.

What sort of information is anticipated to slide underneath the new definition?

On a sensible level, what varieties of data are envisaged to be captured under the new definition?

In addition to the reasonably straightforward particular identifiers, the GDPR expressly covers on the internet identifiers which do not relate directly to dwelling individuals but fairly relate to instruments or electronic footprints which may well be traceable to specific people. Recital 30 of the GDPR gives illustrations these kinds of as net protocol (IP) addresses, site cookies and radio-frequency identification (RFID) tags. It appears from the Hong Kong government’s amendment proposals that these styles of modern monitoring and surveillance systems also are on the radar.

Each and every of these named identifiers keep track of unique information. Each and every when considered on its have may not tumble under the ambit of “personal data”. However, when these identifiers together type a collection of on the net info of browsing tastes, habits and behaviours which gets to be ample to position to a unique personal, we assume that this sort of knowledge will slide to be regulated beneath the new definition of “personal data”.

Points to choose away

The definition of “personal data” less than the PDPO is envisioned to be widened to consist of strands of non-individual facts which collectively may perhaps allow folks to be discovered. The new and widened scope of “personal data” will provide Hong Kong’s place into nearer alignment with the present global expectations.

On the internet behavourial monitoring instruments and identifiers generally deployed by organisations that maintain web-sites probable will arrive inside of the purview of the Privacy Commissioner for Own Details.

Firms and organisations ought to update their privateness insurance policies to guarantee that any use of identifier or tracking device is compliant with the set up information protection principles.

1. For additional dialogue on Australia’s difference involving “potentially identifiable” people today and “reasonably identifiable” people today, see paragraphs 6.53 to 6.60 of ALRC Report 108 published by the Australian Regulation Reform Fee.