However, organisations carrying out such activities should adopt the following best practices in compliance with the requirements under the PDPO (including the DPPs): For more guidance, please see the PCPDs information leaflet on Online Behavioural Tracking. A data user may also refuse to comply with a data access or correction where: The PCPD has published Guidance Notes on the Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users, and the Proper Handling of Data Correction Request by Data Users. The extent or timetable of further reforms is not yet publicly known. Separately the Chief Executive of the Hong Kong Monetary Authority . Hong Kong Yes, the PDPO draws a distinction between data users and data processors (see question 3 above). If the data subject is a child and their consent is required for the collection of personal data, a parent or guardian may give the prescribed consent. The law, which is currently at the . Any consent obtained from a data subject for the collection of biometric data must be voluntary. We'll assume you're ok with this, but you can opt-out if you wish. Establishing a preventive management regime for critical infrastructures. Please refresh the page and/or try again. The Amendment Ordinance also contains additional investigation powers in respect of the two-tier doxxing offences. We use cookies on our site to remember you, show you content we think you will like and help you to use the site. The details that will define the policy effect and direction of the proposed laws will be: the proposed scope of terms such as CII operators. It recommends that Hong Kong courts should have jurisdiction where there is a nexus to Hong Kong (e.g., where the victim is from Hong Kong or where damages are incurred in Hong Kong). However, these provisions have never been brought into effect. Increase in limitation period The HKLRC is of the view that the current limitation period under s. 26 of the Magistrates Ordinance (Cap. Cybersecurity Law, GDPR and Data Ethics Cloud Expo Asia, Hong Kong 2018 Hong Kong Convention and Exhibition Centre 16.05.2018 Stephen Kai-yi Wong, Barrister . LOADING PDF: If there are any problems, click here to download the file. In terms of the overall legislative framework, the government has indicated that in preparing for the impending cybersecurity legislation, it will refer to relevant legislation around the world and will focus on seven areas: These broad areas will likely translate into compliance obligations for CII operators under the cybersecurity legislation. Data processors (in that capacity) are subject to obligations by way of flow-down contractual or other means which a data user must adopt, e.g. This week the Cybercrime Subcommittee of the Law Reform Commission (LRC) in Hong Kong published a consultation paper on cybercrimes and related . Hong Kong was always meant to have a security law, but could never pass one because it was so unpopular. Local data protection laws and scope. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions. Under the New Cybercrime Offences, such a scam would constitute offences of illegal access to programs or data, illegal interception of computer data, and illegal interference of computer data. Several non-binding guidance notes from the PCPD recommend employee training, including the recommended Privacy Management Programme. We also use third-party cookies that help us analyze and understand how you use this website. The PCPD has issued Guidance on Collection and Use of Biometric Data, including several recommendations on how to handle and keep biometric data in compliance with the PDPO and DPPs (including, for example, to conduct a privacy impact assessment prior to collecting biometric data, to encrypt biometric data both at rest and in transit, and to restrict access to biometric data to authorised persons on a need-to-know basis). Directors' duties in the context of dividend declarations and repayment of shareholder loans. A data users right to audit and inspect how the data processor handles and stores personal data. Anyone considering their rights and obligations under Hong Kong law should check the status of the proposed amendments. The local cybersecurity legislation may potentially adopt the concept of "critical information infrastructure operators" under the PRC's national Cybersecurity Law, who are subject to heightened security measures such as undergoing national security review when purchasing network products and services that may impact national security, and storing personal information and critical data within the territory. Authorities in Hong Kong are planning a new law regulating cybercrime, in a move that could lay the groundwork for China-style censorship of the city's internet. It passes a security assessment organized by the Cybersecurity Administration of China (CAC); . Such as in China the Cybersecurity Law of the People's Republic of China (the "Cybersecurity Law") was implemented on June 1, 2017, the Mandatory Data Breach Notification was approved in February, 2017 in Australia, . Although the Cybersecurity Law permits data cross-border transfers, these are only allowed in compliance with industry regulations and after an official assessment on security measures and formal approval have been completed. The Insurance Authority has also issued a Guideline on Cybersecurity, which outlines the minimum standards that authorised insurers are expected to meet in relation to the handling of personal data of existing or potential policyholders. Hong Kong Cyber Fraud First Response Portal. Under the DPPs, data users engaging a data processor (within or outside Hong Kong) must adopt contractual or other means to: The PCPD recommends incorporating additional contractual clauses in service contracts or entering into separate contracts with data processors, that could impose obligations such as keeping records and immediate reporting of any sign of abnormalities or security breaches. Hong Kong's outdated data privacy law puts it out of step with Beijing, experts say, as the mainland pushes to restrict cross-border data flows A new draft regulation has confirmed that some. Hong Kong's personal data protection law, which has not been significantly revised since its introduction in 1996, likely needs an update to be in line with the mainland's tougher standards.. Table of contents The law governs network security and cyberspace activities in the PRC. the PCPD, who carries out investigations upon data subjects complaints on possible breaches of their rights in handling their personal data; or. Data protection authority The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk 3. The PCPD has issued an information leaflet on Online Behavioural Tracking which reiterates the need for organisations to comply with the requirements of the PDPO, including the DPPs, if their online tracking involves the collection of personal data. 13 These specific provisions relate to the Crimes Ordinance, the Telecommunications Ordinance and laws related to obscenity and child pornography. It requires network operators in the PRC to take appropriate measures to safeguard network security, prevent illegal activities, and maintain confidentiality of network data. All rights reserved. Dynamic data inventory. The Content is not offered as legal or professional advice for any specific matter. A licensed or registered person may choose to notify the SFC of a breach voluntarily, particularly given the SFCs recent attention to cybersecurity in thematic reviews and regulatory audits. respect any users wish not to be tracked or to offer users a way to opt out of the tracking (especially if this is conducted by third-parties) and inform them of the consequence of opting out. A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data users instructions will be carried out). Increased maximum sentences The maximum sentence under most of the New Cybercrime Offences is 14 years, as opposed to the present range of two to 10 years' imprisonment for existing offences. The PCPD is considering with the HKSAR Government whether to introduce mandatory data breach notification obligations. The PCPD may conduct an investigation where it (i) receives a complaint on a possible breach of PDPO; or (ii) has reasonable grounds to believe that there may be a contravention of the PDPO (s.38 of the PDPO). However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data see further question 7 below). Organizations and companies are facing a rising wave of cyberattacks, with CEO fraud and ransomware attacks being two of the most common types. The proposed reforms include: The PCPD has recently confirmed that it is considering further amendments to the PDPO with the HKSAR Government. A guide to Hong Kong's cybersecurity laws and practices. The PCPDs review of the PDPO includes the potential introduction of mandatory data breach notifications to both the PCPD and data subjects within a specified timeframe (still to be set). Hong Kong, found on the south coast of China, the country is one of the two Special Administrative Regions in the Republic of China. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions. Hong Kong does not have a stand-alone cybersecurity / cybercrime law. Generally, by the PCPD which exercises both investigative and enforcement powers. All summaries of the laws, regulations and practice are subject to change. If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use (s.35G of the PDPO). The Hong Kong Police Department maintains a resource page for 'Cybersecurity and Technology Crime', including a compendium of relevant legislation on computer crimes. The Amendment Ordinance provides for four statutory defences for the two-tier doxxing offences (see question 1 above) including: The PDPO does not impose data protection by design or data protection by default as requirements. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. Authorities want to strengthen defences against similar incidents. This page is designed to assist you to locate circulars, FAQs and thematic reports published by Intermediaries Supervision. As companies pivot toward a digital business model, exponentially more data is generated and shared among organisations, partners and customers.
Best Digital Piano For Students, Small Town Crossword Clue, Skyrim Knight Cleric Armor Mod, Temporal Discounting Psychology Examples, Dragon Ball Z Cell Games Vhs, Http Header Chrome Extension, Monitor Control Github,