banner news

HK data protection laws ‘offer no deterrent’

Hong Kong, 30 October 2018: Hong Kong’s outdated and weak data protection laws do not provide a sufficient deterrent for firms which fail to safeguard customers’ personal information, says Boase Cohen & Collins Senior Partner Colin Cohen.

While the European Union has implemented stringent new legislation this year, with huge fines for companies which fail to comply, Hong Kong has failed to move with the times, he said.

Mr Cohen was speaking on RTHK Radio 3’s Backchat programme today following last week’s admission by Cathay Pacific that the personal details of 9.4 million passengers had been illegally accessed by hackers last March.

The airline claimed it did not report the data breach earlier to avoid “unnecessary panic” among customers but the lengthy delay brought a strong rebuke from Hong Kong’s Privacy Commissioner Stephen Wong and a furious reaction from legislators and the public.

“There is no doubt Cathay should have come clean at the very beginning. There would obviously have been fallout at the time, but nothing like the difficulties they are having now,” said Mr Cohen.

“The real problem here is that our legislation in Hong Kong is way behind the times. Cathay must have taken legal advice on this and the lawyer will probably have told them that we have weak data protection laws here and even if someone does take action against them firms just get a rap over the knuckles and a small fine. There is no deterrent.

“In Europe, firms which fail to provide adequate data protection can be fined up to €20 million per infringement or 4% of their worldwide turnover. This is a huge stick being waved at major companies who hold large amounts of personal data. Also, if there is a data breach, they have to report it within 72 hours. In this case, Cathay waited so long before telling anyone.”

The European Union’s General Data Protection Regulation came into effect last May. In a key departure from previous legislation, it applies worldwide, meaning organisations outside the EU which process personal data relating to people living in the EU must abide by it. This has led to a British-based law firm planning to seek compensation for Cathay Pacific passengers through a collective legal action overseas, but Mr Cohen cautioned that this would not be straightforward.

“There is a possibility of it happening but it will be very difficult for Hong Kong people to get involved in that. If you are a Cathay customer living in London then you have more ability to take that on,” he told Backchat presenters Hugh Chiverton and Rachel Cartland.

“But these class actions are never easy and sometimes they are a bit opportunistic, in my view. They don’t get to the heart of what really needs to be done here, which is implementing legislation to ensure companies have really strong data protection systems in place.”

Mr Cohen is a regular guest on Backchat, offering a legal perspective on notable news stories. Previous topics have included insurance cover for Uber drivers, the legal rights of airline passengers who are bumped off flights, and aggressive sales practices by fitness chains.

CXdata PHOTO

Cathay Pacific should have reported last March’s data breach much earlier, says Colin Cohen.