New legislative proposals on data protection law in Hong Kong and Singapore: bringing the legal regime in line with best practices

With increasing public concern over data protection issues, a bill imposing more stringent rules on the use of personal data is being considered by the Legislative Council in Hong Kong. Meanwhile over in Singapore, a consultation paper on the introduction of a general personal data regulatory regime in Singapore was also recently issued in September 2011, highlighting the growing awareness of the APAC region of data protection issues.  Michelle Chan and Clarice Yue provide an overview of the key proposals.

Hong Kong

The Personal Data (Privacy)(Amendment) Bill 2011 (the "Bill") was introduced to the Legislative Council on 13 July 2011. The Bill aims to address the increasing public concern over the misuse of personal data in Hong Kong and proposes the following:

Direct marketing: This concerns situations whereby companies have mass transferred personal data to others without the customer's consent or the customer's knowledge of the purpose of the transfer and the identity of the transferee.

 The Bill proposes to impose stricter requirements on data users to disclose and provide written information to the data subject on:

• what personal data is used;
• who the data will be provided to; and
• for what purposes the data is being transferred.

Data users are required to establish a facility whereby the data subject may easily object or consent to the transferral of his personal data within a 30-day time limit. If the data subject does not respond to the data user objecting to the use of his personal data, the data user may use this data for direct marketing purposes. A data subject can still object to such use subsequently by notifying the data user in writing, and the data user must then stop using his personal information and must also notify all transferees of the same. The penalty for contravention of this provision has been raised from a fine of HK$10,000 to HK$500,000 and imprisonment for three years.

Sale of personal data: This concerns personal data being sold by companies for gain in money or other property. In these circumstances, a data user will be bound by requirements similar to those proposed for direct marketing. Non-compliance will render the data user liable to a fine of HK$1 million and imprisonment for five years.

Disclosure of personal data obtained without the data user's consent: The Bill proposes to make it a criminal offence for anyone who obtains personal data from a data user without the data user's consent, and subsequently disclose the personal data with an intent to (i) gain in money or other property, (ii) cause loss in money or other property to the data subject, or (iii) cause psychological harm to the data subject. To reflect the gravity of the offence, the proposed penalty is a fine of HK$1 million and imprisonment for five years.

To give effect to the above proposals, the Bill also proposes that the Privacy Commissioner for Personal Data will be empowered to provide legal assistance to data subjects who suffer damages or losses to institute legal proceedings against the relevant data users.

Singapore

There is currently no general law or mandatory regime on data protection applicable to the private sector in Singapore apart from certain sector specific regulations. Unregulated sectors may voluntarily adopt the Model Data Protection Code for the Private Sector1(the "Model Code").

The Ministry of Information, Communications and the Arts of Singapore ("MICA") published a public consultation paper on 13 September 2011 proposing a general regulatory regime for the protection of personal data (the "DP Regime"). The proposed regime is largely based on the principles of the Model Code. The consultation intends to consult the public on the following key issues:

Scope: The DP Regime will apply to all private sector persons, companies, and other organisations in Singapore. It will also apply concurrently with existing sectoral regulations (which may be more stringent than the DP Regime). Organisations will be responsible for personal data under their custody or control no matter whether the collection and/or processing of personal data have been outsourced or not. Singapore-based organisations should ensure that appropriate measures have been taken to protect personal data transferred outside of Singapore.

Collection, use and retention of data: Organisations may only collect, use or disclose personal data with the individual's consent and for a reasonable cause. Consent may be:

(i) explicit;

(ii) implied (where the purpose of collecting the data is obvious); or

(iii) deemed (where obtaining prior consent would be impractical or contrary to public interest).

There are specific exemptions to the requirements for consent, e.g. where information is being gathered for research purposes or where information is being shared in the context of a due diligence exercise in a merger and acquisition transaction. Organisations will be under a further obligation to put in place reasonable security measures to prevent unauthorized access to personal data under its control.

Accountability and enforcement: Organisations will be required to designate individual(s) to be responsible for ensuring compliance with the DP Regime and addressing customers' questions about collection of personal data. The contact information of the designated individual(s) should be made known to customers. The Data Protection Commission has the power to issue rectification orders and/or financial penalties of up to SG$1 million. Organisations or individuals who knowingly or recklessly breach the terms of the DP Regime may be subject to criminal sanctions.

Extra-territorial effect: One of the outstanding issues is whether the DP Regime should extend to overseas organisations engaging in data collection/ processing in Singapore. MICA is concerned about the practical difficulties of conducting investigations and enforcing the DP Regime on organisations which do not have any presence in Singapore.

"Sunrise" period and transitional provisions: A "sunrise" period of 1-2 years has been proposed to allow organisations to gradually adjust their practice to comply with the DP Regime. Further, it has been proposed that consent will be deemed to have been obtained for personal data provided to organisations prior to the effective date of DP Regime.

1 Modeled on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ("OECD Guidelines").