(China) Limited, a limited liability company in Mainland China, KPMG, a Macau (SAR) partnership, and KPMG, a Hong Kong (SAR) partnership, are member firms of the KPMG global organisation of independent member firms . Different offences are scattered over various ordinances, including the following: The New Cybercrime Offences are as follows: The New Cybercrime Offences, except for illegal interception of computer data, come in an aggravated form if further criminal activities or a high degree of severity is involved. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. In determining what constitutes practicable steps, the data user should consider: There is no statutory definition of security breaches. the PCPD is of the opinion that an investigation is unnecessary. Please see question 13 above. These cookies will be stored in your browser only with your consent. Such notifications are currently voluntary, although the PCPD can take into account whether data breach notifications were given in considering whether a data user has complied with the DPPs (in particular DPP4 data security). On June 1, 2017, China's Cybersecurity Law went into effect, marking an important milestone in China's efforts to create strict guidelines on cyber governance. The PDPO has been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), to strengthen the protection of data subjects. In terms of the overall legislative framework, the government has indicated that in preparing for the impending cybersecurity legislation, it will refer to relevant legislation around the world and will focus on seven areas: These broad areas will likely translate into compliance obligations for CII operators under the cybersecurity legislation. Cybersecurity. Get the latest News About Governance News And Other Important. Another key point to note is the government's proposal to enact specific cybersecurity legislation in Hong Kong, given the increasingly important role cybersecurity and data security play in upholding national security. See question 28 above. the purposes for which the personal data will be used; whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information; the classes of persons to whom personal data may be transferred or disclosed; if applicable, information about the use and/or provision of personal data for direct marketing; and. The Consultation Paper conducts a comprehensive comparison of the cybercrime laws in seven other jurisdictions, namely Australia, Canada, England and Wales, Mainland China, New Zealand, Singapore and the USA. The PDPO adopts the key definitions personal data, data subject, data user (not data controller), and data processor: There is no concept of sensitive personal data under the PDPO and there are no additional restrictions specifically imposed with respect to sensitive personal data. DPP1(1)(a) provides that personal data must not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data, while DPP1(3) requires that the data subject be notified explicitly of certain information related to the collection of data before the first collection (save for limited circumstances). However, Hong Kong generally follows the Common Law and the English Court of Appeal held that a ransom payment only becomes criminal property in the hands of the recipient (in the case of a cyberattack, the threat actors), rather than when in the hands of a payer (R v L & Ors [2005] EWCA Crim 1579, dealing with the position under s.327 of the English Proceeds of Crime Act 2002). the offering, or advertising of the availability, of goods, facilities or services; or. There are certain legislative provisions relating to cyber crimes - including within the Crimes Ordinance, the. As noted in question 1 above, the PCPD is currently considering a prescribed data retention period, and requirement for data users to have a data retention policy (likely to be supplemented by templates and guidelines published by the PCPD). This has highlighted the need for more robust, updated and comprehensive cyber legislation in Hong Kong. This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in Prudence worked as an intern at several international law firms in Hong Kong and mainland . Dynamic data inventory. The local cybersecurity legislation may potentially adopt the concept of "critical information infrastructure operators" under the PRC's national Cybersecurity Law, who are subject to heightened security measures such as undergoing national security review when purchasing network products and services that may impact national security, and storing personal information and critical data within the territory. On May 28, China's national legislature, the National People's Congress (NPC . There can therefore be more than one Data User in respect of any item of personal data (for example if different group entities use personal data for different reasons). All rights reserved. Data users are free to consider what obligations best fit the circumstances (such as the amount and sensitivity of personal data involved, the nature of the data processing and the harm that may result from a security breach), although contractual obligations implemented to fulfil the data users obligations under DPP2(3) and DPP4(2) may include: There are currently no laws or restrictions dealing specifically with tracking technologies such as cookies or profiling and automated decision making. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in South Korea. However, the PCPDs Guidance on Outsourcing the Processing of Personal Data to Data Processors recommends keeping records of all personal data transferred to a third party for processing. Yes. A data user must also not provide personal data to a third party for its direct marketing use without the data subjects informed written consent (s.35K of the PDPO), having notified the data subject of various factors relating to the proposed transfer and use of the personal data (pursuant to s.35J of the PDPO). It requires network operators in the PRC to take appropriate measures to safeguard network security, prevent illegal activities, and maintain confidentiality of network data. Any consent obtained from a data subject for the collection of biometric data must be voluntary. 625) regulates the collection, sharing, use and safe-keeping of patients health data under the Electronic Health Record Sharing System. The Hong Kong Monetary Authority (HKMA) has issued several Circulars related to technology risk management to provide guidance and reminders in relation to the technological security requirements and controls to be observed by authorised financial institutions. The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). Increase in limitation period The HKLRC is of the view that the current limitation period under s. 26 of the Magistrates Ordinance (Cap. Reach out for general data protection regulation (GDPR) compliance, China cybersecurity law, security breach, data security and privacy, and penetration testing. Persons collecting and / or using (or controlling) biometric data must therefore comply with the PDPO as data users. Under the New Cybercrime Offences, such a scam would constitute offences of illegal access to programs or data, illegal interception of computer data, and illegal interference of computer data. DPP1 and DPP3 combined mean that it is not possible to obtain a blanket consent (in a notice or agreement between the data user and data subject) that purports to give the data user the right to use personal data for any purpose whatsoever. 486). Separately the Chief Executive of the Hong Kong Monetary Authority . Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit, Hong Kong Free Press is #PressingOn with impartial, award-winning, frontline coverage. CAC extends cybersecurity review to Hong Kong IPOs China is set to require PRC companies undergo a cybersecurity review before listing in Hong Kong on national security grounds. Having secured a compliant Legislative Council (LegCo) via the rigged elections of December 19, 2021, China's central government will likely take additional steps in 2022 to ensure its complete control over Hong Kong. That doesn't mean, however, that companies based in Hong Kong won't be subject to China's Cybersecurity Law if they do business in Mainland China, for the reasons mentioned above. There are currently no mandatory registration or licensing requirements for data users, data processors, or other person covered by the PDPO. In addition to these provisions, it is recommended for data users and data processors to keep records of data processing activities in order to be able to respond promptly and comprehensively to any enquiry or investigation by the PCPD into compliance with the DPPs, or to any complaint by a data subject. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. We use cookies on our site to remember you, show you content we think you will like and help you to use the site. Selina has studied investigative reporting at the Columbia Journalism School. In a typical CEO fraud scam, the scammer would usually get a good working understanding of the company's hierarchy and its money, trade and logistical movement patterns. A licensed or registered person may choose to notify the SFC of a breach voluntarily, particularly given the SFCs recent attention to cybersecurity in thematic reviews and regulatory audits. For more details, please see our cookies policy. Furthermore, DPPs 2(3) and 4(2) provide that when a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user's behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for the . Since Beijing enacted the new national security law tailor-made for Hong Kong on June 30, the business community in the city has expressed concern over the legislation that gives authorities broad . "It's been enormously difficult for our companies to prepare for the implementation of the cybersecurity law, because there are so many aspects of the law that are still unclear," said Jake. But opting out of some of these cookies may have an effect on your browsing experience. Responses to the Consultation Paper are due on 19 October 2022. CEO fraud is a sophisticated email scam where the attacker sends out phishing/spoofing emails impersonating a company's CEO or some other executive to trick employees into transferring money or providing confidential company information. Our dedicated global practice is composed of more than 80 information governance, privacy and cybersecurity lawyers based in many of the world's key risk jurisdictions. Hong Kong PDPO Compliance and Cybersecurity Read Time: 5 min. The key principles under the PDPO for processing personal data are contained in the six DPPs (outlined at question 1 above). While Hong Kong has yet to enact specific legislation on cybercrime or cybersecurity, this will soon change with the announcement of the proposal to enact a new cybersecurity law during the Chief Executive's 2021 Policy Address ("2021 Policy Address") and the issuance of a consultation paper on "Cyber-dependent crimes and jurisdictional issues" ("Consultation Paper") by the Hong Kong Law Reform Commission (HKLRC). Search regulations by topic. Authorities in Hong Kong are planning a new law regulating cybercrime, in a move that could lay the groundwork for China-style censorship of the city's internet. The Basic Law is Hong Kong's mini-constitution, which was established as part of the handover of Hong Kong from the United Kingdom to China in 1997 after more than 150 years of colonial rule . The PDPO contains specific provisions restricting cross-border transfers of personal data, but these have never been brought into force. These include banking and financial services, insurance and telecommunications, which have their own codes of practices and guidelines published by the PCPD and their own sector specific regulations. Currently, Hong Kong does not have any specific offence applicable to cybercrime. In these circumstances, explicit and voluntary consent from the data subject must be sought in compliance with DPP3. There is currently no obligation to consult with the PCPD, or to issue data breach notifications to the PCPD. To embed, copy and paste the code into your website or blog: Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: [HOT] Read Latest COVID-19 Guidance, All Aspects [SCHEDULE] Upcoming COVID-19 Webinars & Online Programs, [GUIDANCE] COVID-19 and Force Majeure Considerations, [GUIDANCE] COVID-19 and Employer Liability Issues. However, online tracking activities must comply with the provisions of the PDPO. Hong Kong's higher education is placed in the England's structure as well as international systems. These . As the organisation engages the third-party to collect or track user behaviour, it is the organisations responsibility to understand from the third-party what information is being collected and the means by which the information is collected. Data User means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. That said, section 25A OSCO provides a defence to a prosecution under s.25 OSCO if the victim notifies an authorised officer (i.e. where there was a reasonable belief that the disclosure was necessary for preventing or detecting crime; where there was a reasonable belief that the data subject gave their consent to the disclosure; where there was a reasonable belief that disclosure was in the public interest and was made for news activity purposes; and. There are no minimum contract terms, or standard contractual clauses, required for processors of personal data. The specific application to a cyber ransom payment has not yet been tested in the Hong Kong Courts. When you take the new rules in the context of the existing China Cybersecurity Law (CSL), Data Security Law (DSL) and PIPL, a clear picture emerges of ten high-impact changes for non-Chinese multinationals. The Securities and Futures Commission (SFC) has also issued guidance and FAQs and circulars on cybersecurity most recently in relation to internet trading, remote office arrangements, and use of external electronic data storage. Protiviti's cybersecurity consultants have deep expertise in IT cybersecurity, managing technical and business risks. A guide to Hong Kong's cybersecurity laws and practices Matt Bower 21 June 2021 The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. The SFCs Code of Conduct for Persons Licensed by and Registered with the Securities and Futures Commission (last updated in December 2020) provides specific provisions relating to information security, including section 12.5 (requiring a licensed or registered person to report to the SFC immediately upon any material failure, error or defect in the operation or functioning of its trading, accounting, clearing or settlement systems or equipment) and section 18.5 (requiring a licensed or registered person to ensure the integrity and security of any electronic trading system it uses or provides to clients). The PCPDs review of the PDPO includes the potential introduction of mandatory data breach notifications to both the PCPD and data subjects within a specified timeframe (still to be set). To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. . Sections 20 and 24 of the PDPO provide certain exceptions to a data users obligation to comply with data access or correction requests, for example where the data subject does not supply enough information to verify his/her identity. CII operators may need to undertake a significant exercise to ensure compliance with the new legislation. On 20 July 2022, the HKLRC released the Consultation Paper proposing the New Cybercrime Offences, which aim to rein in cybercrime with tougher penalties of up to life imprisonment. This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in 2021 representing a 162% increase on the 2020 figure alone. II Overview of regulations related to cyber breaches in China, including Hong Kong. It is currently unknown which (if any) of these proposals would be included in further amendment legislation and when any such changes would come into effect. If a data user engages a data processor for handling personal data of other persons, the data user should adopt contractual or other means to ensure that the data processor complies with the same retention requirement. The PCPD has recommended in its Guidance on Data Breach Handling and the Giving of Breach Notifications that data users should notify the PCPD about data breaches as part of recommended practice for proper [data breach] handling. This strategy also highlights the importance of cybersecurity legislation. Build a Morning News Brief: Easy, No Clutter, Free! 1. 227) (i.e., six months) is too short in relation to summary proceedings for the New Cybercrime Offences. The PCPD has issued Guidance on Personal Data Protection in Cross-border Data Transfer which serves as a practical guide for data users to prepare for the future implementation of these provisions. 2427356 VAT 321572722, Registered address: 188 Fleet Street, London, EC4A 2AG. The PCPD has prepared a table summarising the various offences under PDPO and their respective penalties. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in Hong Kong. The PDPO places detailed prescriptions on the manner in which personal data can be used for direct marketing, the information that a data user must provide to the data subject in order to be able to use the personal data for direct marketing, and the express prior consent that the data user must obtain from a data subject in order to be able to use personal data for direct marketing purposes. The law governs network security and cyberspace activities in the PRC. There are also industry-specific data breach notification requirements. The PDPOfocusses on six Data Protection Principles (the DPPs), restricts direct marketing without consent, and establishes the Office of the Privacy Commissioner for Personal Data (the PCPD) as the national supervisory authority. Section 66 of the PDPO provides that a data subject may commence civil proceedings against a data user who contravenes the PDPO to seek compensation if they can show that the contravention caused damage. Hong Kong's personal data protection law, which has not been significantly revised since its introduction in 1996, likely needs an update to be in line with the mainland's tougher standards.. All data users are required to comply with the six DPPs, summarised as follows: Contravention of any of the DPPs is not a direct offence of itself, although the PCPD can investigate and issue a public enforcement notice, breach of which is an offence. This relates to healthcare providers only. 2. International Legal Framework for Cyber Security 2.1 Political Agendas and International Law Cyber security is now routinely cited and consistently placed on the top of political agendas. As noted in question 20 above, there are no restrictions on online tracking for advertising or marketing purposes. Increased maximum sentences The maximum sentence under most of the New Cybercrime Offences is 14 years, as opposed to the present range of two to 10 years' imprisonment for existing offences. Directors' duties in the context of dividend declarations and repayment of shareholder loans. Attorney Advertising: This Content may qualify as Attorney Advertising requiring notice in some jurisdictions. The information and opinions within this website are for information purposes only. The PCPD generally has no direct power to sanction a breach of a DPP, although breach of certain provisions of the PDPO (about which see question 37 below) is a criminal offence, punishable by fines and/or imprisonment. When the PRC Cybersecurity Law was enacted in November 2016, it broadly defined CII the first time. Contravention of certain specific provisions of the PDPO is also an offence, including not erasing personal data that is no longer required for the purpose for which it is used, and disclosure of personal data obtained from a data user without the data users consent. : Data Protection & Cyber Security. DPP6 also provides a data subject with the right to: Part 5 of the PDPO provides detailed provisions regarding the manner and timeframe for compliance with data access and correction requests. Cloud computing is both a rapidly growing market in China as well as subject to this increasing regulatory regime. Responses are due on 19 October 2022. Provision of Personal Data to a Third Party for Direct Marketing Purposes. Other than as set out below, there are no requirements for the form in which consent is obtained or handled. The rapid development in technology has brought about an increasing number of cyberattacks and cybercrimes in recent years, resulting in significant challenges for law enforcement and also to the cybersecurity of critical information infrastructures (CIIs). Almost inevitably, your organization will experience a cybersecurity incident -- and with the environment evolving daily, you can't be too prepared for the aftermath. DPP3 prohibits the use of personal data for any new purpose which is not the original purpose when collecting the data (or a related purpose), except where the data subjects express and voluntary consent has been obtained. Part 8 of the PDPO exempts certain specified DPPs and provisions of the PDPO from applying to personal data held in specified circumstances, including (but not limited to): These exemptions operate as a defence for data users that fail to comply with the exempted requirements under the PDPO. a marketing call to the unidentified owner of a particular telephone number (which is regulated under the Unsolicited Electronic Messages Ordinance (Cap. Please refresh the page and/or try again. Data processors (in that capacity) are subject to obligations by way of flow-down contractual or other means which a data user must adopt, e.g. Establishing a preventive management regime for critical infrastructures. relates directly or indirectly to a living individual; from which it is practicable to identify that individual directly or indirectly (including using other data held by the same data user); and. Given the general scheme of the PDPO, several sectors and industries impose their own additional data security obligations. ascertain whether a data user holds personal data of which s/he is the data subject; request access to personal data, within a reasonable time, for a fee which is not excessive, in a reasonable manner and in a form that is intelligible; request the correction of personal data; and. Please see full Publication below for more information. The Content is protected under international copyright conventions. The PCPD has published a Code of Practice on Consumer Credit Data (which provides practical guidance to data users in handling the collection, accuracy, use, security and access, and correction related to personal data of applicants for consumer credit), and Guidance on the Proper Handling of Customers Personal Data for the Banking Industry (which provides practical guidance to the banking industry on understanding and complying with relevant data protection requirements under the PDPO, and suggested best practice for the collection, accuracy, retention, use, security of and access to customers personal data). Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or . The proposed reforms include: The PCPD has recently confirmed that it is considering further amendments to the PDPO with the HKSAR Government. inform users what type of information is being collection or tracked by them, the purpose of collection, how the information is collected, whether the information will be transferred to third parties (and, if so, the third party and the purpose of the transfer), whether the information will be combined with other information to track/profile users and for how long the information will be kept; inform users whether any third-party is collecting or tracking their behavioural information. Under DPP2, data users must take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. The DPPs also outline data subjects rights to access and make corrections to their personal data. The details of the legislative proposal are not yet available. This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related . However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data see further question 7 below). Several non-binding guidance notes from the PCPD recommend employee training, including the recommended Privacy Management Programme. Consent may be indicated by a signature or a tick box. The Cybersecurity Law of the People's Republic of China, ( Chinese: ) commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People's Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. The Personal Data (Privacy) Ordinance (Cap. The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. Part 6A of the PDPO requires that data users must obtain explicit informed consent of a data subject before using the data subjects personal data for direct marketing or transferring the data to a third party for direct marketing. The PCPD may publish enforcement reports of its investigations or inspections (on its website) if it considers that it is in the public interest to do so (s.48(2) of the PDPO). This has highlighted the need for more robust, updated and comprehensive cyber legislation in Hong Kong. The Amendment Ordinance also contains additional investigation powers in respect of the two-tier doxxing offences. In addition to the general personal data protection framework under the PDPO, there are sector-specific personal data protection requirements imposed by some industry regulators (see question 28 below). DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. The PCPD is considering with the HKSAR Government whether to introduce a direct administrative fining power for the PCPD. is in a form in which access to or processing of the data is practicable. The scammer would then gain access to the CEO's or the executive's email account, send emails to employees requesting money, and then slip into the payment flow to intercept payments from the employees. In AAB No. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. Individual data privacy rights can be enforced by either: Yes. Personal Data (Privacy) Ordinance (Cap. The PCPD has published Guidance for Mobile Service Operators, providing practical guidance to mobile service operators to comply with the PDPO in their business operations e.g.
Phishing-links Github, When Can You Drive Without Wearing A Seat Belt, Bonnie Skins For Minecraft, Stakeholder Analysis Real Estate, Menards Dragon Fountain, Environmental Internships For Undergraduates, Oban Bay Reserve Game Of Thrones, How To Use Boric Acid To Kill Cockroaches,
hong kong cybersecurity law