Hong Kong’s GDPR pivot

January 24 2020 by Nick Ferguson

Insurers in Hong Kong could see a surge in the sale of cyber policies if the government goes through with proposed tougher penalties for data breaches.

Lawmakers in the city met this week to discuss changes to Hong Kong’s data privacy rules that could result in mandatory notification requirements and much bigger fines as part of a response to Cathay Pacific’s cyber breach in 2018 that led to the leak of personal data belonging to 9.4 million passengers — more than the total population of Hong Kong.

“Regulation is such a key driver behind the insurance side,” says Rory Young, a cyber and technology broker at Lockton in Hong Kong. “The mentality around insurance purchasing in Asia in general has always been: ‘If I don’t have to have it, then I won’t buy it.’ Obviously, the insurance is never going to be made mandatory, but once you’re dealing with costs around notifying, investigating and regulator engagement, then people start seeing value in the insurance side a lot more. I would predict an uptick for sure.”

The Cathay incident highlighted how little power regulators in the city have to hold companies to account for data leaks, particularly in the wake of much stricter new rules in the EU that led to British Airways being fined £183 million (US$240 million) for a 2018 breach that compromised the personal data of 500,000 customers.

“I would expect there to be quite a big push to introduce a mandatory disclosure regime.” Regulatory lawyer

Hong Kong legislators have looked at the EU’s General Data Protection Regulation (GDPR), as well as rules in other jurisdictions such as Australia, Canada and Singapore, to inform the proposed amendments, which would be a significant departure from its current regime.

“The privacy commissioner has historically encouraged improvement on operations and controls and investment in security, but there hasn’t been an onus on genuine protection of privacy,” says Young. “Now what we’re seeing is more of a focus on the data side. If you seem to be causing harm to individuals, there’s going to be tougher sanctions and you’re going to have to tell the regulator what’s going on — and that’s inherently going to drive better cyber security.”

Under Hong Kong’s current rules, a breach of the data protection principles can incur a maximum fine of HK$50,000 (US$6,410), but enforcement is extremely rare given there are no mandatory notification requirements and the regulator has no independent powers to investigate or impose fines.

Indeed, the government’s review of the data privacy ordinance states that the biggest fine for a convicted case of non-compliance with an enforcement notice was just HK$5,000.

“From a liability point of view it’s pretty laughable really,” says Young.

Under EU rules, the maximum fine is €20 million (US$22 million) or 4% of the company’s global turnover, whichever is higher, and Hong Kong is now considering similar turnover-based fines.

The new proposals could be enacted as soon as this year.

However, there is still plenty of opportunity for the proposals to be watered down.

“It’s not necessarily consistent with Hong Kong’s culture to impose large fines for breaches, so I’m not sure whether that will come through,” said a regulatory lawyer in Hong Kong. “But I would expect there to be quite a big push to introduce a mandatory disclosure regime.”

The increased cost of compliance associated with such a change will inevitably meet resistance from business leaders, but lawmakers’ are much more aware of the need to protect personal data than they were 10 years ago. Sales of smartphones and other internet-connected devices have grown exponentially, alongside the development of big data and artificial intelligence, which have all given rise to new concerns about the risks to individuals.

Depending on the level of opposition and the intensity of debate, the new proposals could be enacted as soon as this year, with a transition period of one or two years to give businesses time to prepare — and that will clearly drive interest in buying insurance.

On the other end of the spectrum, human rights groups argue that the proposals do not go far enough in adopting GDPR-style protections for individuals, particularly in light of the continuing protests in Hong Kong and fears around government surveillance tactics.

“The government’s current proposal is too narrow,” said Sophie Richardson, China director at Human Rights Watch, in a statement. “Hong Kong authorities should be using their relative freedoms to adopt the strongest data protection policies. A failure to seize this opportunity paves the way for serious erosion of privacy and rights.”

Such concerns are certainly justified, but any expectation that the rules will become even tougher is misplaced. But if the rules encourage companies to take security more seriously and allow brokers to have more articulate conversations about cyber insurance, that will be a positive step forward.

MORE FROM: Insights