Business Hong Kong Law & Crime Science & Technology

No law to force firms to reveal data leaks, says Hong Kong privacy chief amid Cathay scandal

Hong Kong’s privacy chief has said there is no law in Hong Kong to force companies to reveal data leaks. However, he encouraged them to be morally responsible in disclosing such incidents.

Cathay Pacific revealed last week that the personal data of 9.4 million passengers had been leaked, seven months after it had discovered suspicious activity on its network in March.

Privacy Commissioner for Personal Data Stephen Wong said some countries made it a legal requirement for companies to reveal data leaks, but such rules were absent in Hong Kong.

Stephen Wong

Stephen Wong. Photo: RTHK Screenshot.

“I can expect that, in some situations that when similar incidents occur, [companies] would not reveal them – it would not tell the Office of the Privacy Commissioner for Personal Data, and would not tell affected customers,” Wong said on an RTHK radio programme on Monday. “This is not a violation of regulations under the current laws – we can only encourage responsible organisations to reveal them.”

“This is not a legal responsibility, but a moral responsibility,” he added.

Disclosure period

The EU’s General Data Protection Regulation, effective since May, stipulates that regulated companies must reveal data leaks within 72 hours. Wong said it was reasonable for firms to reveal data leaks within such a time period.

“As to why it should be within three days, I speculate that it is because of two-days weekends… I believe 72 hours is a tolerant and reasonable requirement.”

He said that his office has initiated a review of current law, and it will actively consider whether to follow the EU requirement.

airport-cathay-pacific-plane-takeoff-2

Cathay Pacific planes at the Hong Kong International Airport. Photo: GovHK.

Wong said his office has initiated a compliance check on the public information provided by Cathay Pacific. He said his office would conduct a deeper investigation if any apparent violation of privacy regulations was found. For instance, there may have been inadequate preventive measures.

Wong also said his office had received 24 complaints and 27 enquiries.

His office sent a preliminary questionnaire to Cathay Pacific last Thursday and gave them ten days to answer, but there has not been a response as yet.

Wong said his office has experts who will examine the airline’s response, and it may also engage overseas experts.

No law to force firms to reveal data leaks, says Hong Kong privacy chief amid Cathay scandal