HK data privacy law needs to level up in big data era

He urged the government to put forth open data law. “What we need are the enactment of archival law, open information or freedom of information law, and open data law. Advanced countries should have all three.”

Data scientist and founder of data science consultancy Guy Freeman (pictured, left) noted data privacy is more crucial than ever in the era of big data and IoT, but he does not see a conflict between data sharing and privacy.

“I find the data privacy framework in Hong Kong is very reasonable and adequate right now,” he said. He explained that by getting opt-in from customers, an organization would be able to provide them with more services in those customers’ interests.

Insufficient open data

Apart from H3C, Mok and Freeman also said there is insufficient data for sharing. Mok criticized the government for its tardiness in opening up public data. “The government has little incentives to share [public data] because the bureaucrats still believe that the lesser the people know, the easier their jobs. Beyond government, it’s even worse in the private sector,” he said.

Agreed by the data scientist Freeman, he made a reference to the Open Data Index where Taiwan took top place, while Hong Kong only came 37th, one place below Albania in 2015.

“While there has been a start, Hong Kong is still behind the best-in-class when it comes to opening up data for sharing,” he noted. “The ideal is for all public data to be open, barring national security concerns. At the very least, the government should open up the Company Registry data.”

Comparative study on EU’s regulation

To keep abreast of the global data privacy developments, Wong disclosed the PCPD is undergoing a comparative study on the new European Union (EU)’s General Data Protection Regulation (GDPR) and Hong Kong’s PDPO. He said it is too early to draw any conclusion whether there will be any changes in the current data privacy framework in Hong Kong.

Under the GDPR, changes have been made to protect EU citizens’ data privacy and reshape the way organizations approach data privacy.

Meanwhile, when companies use or share personal data, PCPD encouraged them to embrace data privacy protection as part of their corporate governance responsibilities.

“Organizations engaging in big data analytics or personal data sharing should conduct a Privacy Impact Assessment (PIA) to assess the privacy risks involved and adopt measures to safeguard personal data,” said Wong.  

Data users are advised to use PIA before the launch of any new business initiative or project that might have significant impact on personal data privacy. PIA was undertaken for projects such as the electronic health data sharing program that involves the collection and sharing of health records of individuals.


Carol Ko contributed to this article.