An Ideas-Based Online Magazine of the Global Network for Advanced Management

Data Privacy: The Hong Kong Approach

Earlier this year, the Cambridge Analytica scandal brought new scrutiny to the ways in which online companies make use of customer data; a few weeks later, the European Union's General Data Protection Regulation came into effect, creating new requirements for data protection and disclosure. Global Network Perspectives asked experts around the Global Network for Advanced Management how consumers, companies, and governments in their regions are responding.

Hui Kai Lung

In the wake of the Cambridge Analytica scandal with Facebook, companies are reviewing their privacy policies and making changes for consumers. What actions are businesses in your country or region taking in response to these leaks?

The development of privacy protection is ever increasing in Asia. Long before the Facebook-Cambridge Analytica scandal, the governments in various countries/regions have been strengthening their legal infrastructure in protecting individual privacy. For example, Hong Kong has established the Personal Data (Privacy) Ordinance in 1996, which carries a similar spirit as the OECD privacy guidelines and the European Union Data Protection Directive 1995. Singapore has enforced the Personal Data Protection Act in 2013 and a do-not-call Registry in 2014. The enforcement of these privacy laws has caused some firms to be sanctioned or, in the extreme cases, even expelled from the industry because of misuse of personal data. Therefore, many businesses in Asia Pacific have been aware of the importance of privacy protection and preventing data leakage. The Facebook-Cambridge Analytica scandal injects new momentum to this development.

How are rules and regulations in your country/region shaping the way companies handle the privacy of their consumers? 

In Hong Kong, the regulation leans more towards the European Union model, which essentially treats individual privacy as a basic right. This significantly affects firms’ degree of freedom in using consumer, employee, or other individual data. For example, the Privacy Commissioners in Hong Kong have taken actions against firms for misusing consumer data from loyalty reward programs and in direct marketing, extended storage of consumer bankruptcy records, unnecessary collection of employees’ biometric data, and aggregating and sharing consumers’ litigation profiles without consent. These incidents have caused local firms to be cautious in handling personal data. However, a serious limitation is geographical and political boundaries. The Hong Kong law largely applies to firms located or having primary businesses conducted in Hong Kong. This means that foreign firms need not be affected by these regulations.

What might be some best practices for companies when developing these policies? What should consumers look out for in advance? 

My advice for companies is two-fold. First, they need to know the spirit of the privacy regulation and truly respect what consumers are concerned about. Often this requires the firms to go beyond the literal principles or legal statements. Instead, they need to design and conduct their business processes with the full consideration of the impacts and implications on individual privacy (the so-called “privacy by design”). Second, they should do their “due diligence” in checking and verifying the data practices within all business units, products, and processes. At this point it is unclear what had actually happened in the Cambridge Analytica incident, but apparently a user of the Facebook platform exploited a loophole in the platform’s design, which allowed Cambridge Analytica to exploit the illicitly-collected consumer data. Assuming the loophole was not a deliberate omission, Facebook should have been more careful in designing the data access policies on its platform.

Perspectives Topics