ISE02/19-20

Subject:

constitutional affairs, data breach, personal data, privacy, notification system

• Advancement of technology has enabled governments and enterprises to collect and store huge amount of personal data in electronic format. This also increases the risks of data breaches caused by growing malicious hacks, and unintentional leaks caused by system flaws or human errors. Data breaches can expose data subject's sensitive personal information which may then be misused by criminals. It can also be costly to business, with the estimated average total cost per breach as high as US$3.9 million (HK$30.4 million) in 2018. In some overseas jurisdictions like Europe, the United States and Australia, a mandatory notification system of personal data breaches has become increasingly common.^{1Legend symbol denoting In the United States, the state of California was the first to implement such system in 2003. At present, all 50 states have enacted similar mandatory requirements. The Australian notification system came in force in February 2018 while the Canada's in November 2018. The United Kingdom also applies the General Personal Data Regulation ("GPDR") of the European Union ("EU") which has come into force since May 2018. Singapore is also moving towards mandatory notification while New Zealand is also expected to pass a bill in 2019 for the system.} Although the system could not eliminate these breaches, it is considered a vital part of an effective personal data protection regime.
• In Hong Kong, lawmakers have called for a review of the Personal Data (Privacy) Ordinance ("PDPO"), in particular if mandatory notification is necessary. In this regard, the Government has recently reported that it had commenced a review of PDPO on several fronts including studying the introduction of a mandatory notification mechanism.^{2Legend symbol denoting See Constitutional and Mainland Affairs Bureau (2019).} This issue of Essentials examines the data breach trend and the current voluntary notification system in Hong Kong. It will then study the recent experience of Australia in transitioning from voluntary to mandatory notification, and briefly evaluate the system's performance after more than a year of operation.

Personal data breach trends in Hong Kong

• Hong Kong is among the first in the region to put in place a personal data protection regime. It enacted PDPO in 1995 and established the Privacy Commissioner for Personal Data ("PCPD") in 1996. Over the years, the public focus of privacy protection had largely been on the collection and use of personal data, for example, unauthorized sale and use of personal data by entities holding such data. In recent years, there have been a string of high profile personal data breach cases amid a rising trend of cyber-attacks in Hong Kong.^{3Legend symbol denoting During 2009-2018, the number of security incidents reported to the Computer Emergency Response Team Coordination Centre under the Hong Kong Productivity Council has increased by 10 times to 10 081. A third of these incidents were related to malware. During the same period, the number of "technology crimes" such as e-banking fraud and identity theft recorded by the police also increased from 1 500 to 7 800 cases.} The focus has therefore increasingly tilted towards data security.^{4Legend symbol denoting See Wong, Stephen (2018).} This was partly reflected in the growing number of personal data breaches received by PCPD under its voluntary notification system.
• In 2012-2013, there were about 61 data breach notification reports received by PCPD, but the figure has almost doubled within six years to 116 cases in 2017-2018. Not only the number has increased, but also the scale of data breach has grown, as indicated by the number of people affected by such breaches. In 2012-2013, only a total of 17 000 people were affected, whereas 3.86 million people were affected in 2016-2017, mostly due to the case of the loss of computers containing information of about 3.78 million voters (Figure 1).
  
  
  Figure 1 - Number of data breaches reported under PCPD's voluntary notification system
  
  

  Year	Private entities	Public entities	Total	No. of affected
  2012-2013	29	32	61	17 000
  2013-2014	22	54	76	114 000
  2014-2015	25	42	67	77 000
  2015-2016	60	44	104	854 000
  2016-2017	51	37	88	3 860 000
  2017-2018	79	37	116	765 834

  Source: PCPD.


• In recent years, private entities have also overtaken public bodies and government agencies in voluntarily filing data breach to PCPD. However, public doubts over whether private entities have enough incentives to notify and do so in a timely manner still linger. For instance, a Hong Kong-based airline notified PCPD in October 2018 of a data breach affecting 9.4 million individuals, though the breach had been detected in March 2018. While there is no mandatory notification requirement, PCPD viewed that the airline could have notified after the "suspicious activity" was detected so as to allow the affected to take immediate protection measures.

Existing voluntary notification system

• The voluntary notification system was formally established in 2010 in response to a review of PDPO in 2009.^{5Legend symbol denoting Some entities including public bodies had been notifying PCPD of data breaches before the PDPO review in 2009. In 2010, PCPD reinforced the arrangement by issuing a guidance note and a template for notification. See PCPD (2010).} In that review, the Government and PCPD were divided over the need for a mandatory system. The Government eventually opted for a voluntary one so as to avoid causing "onerous burden" on the business community and allow time to assess the system's impacts.^{6Legend symbol denoting During the public consultation of the review, a majority of views supported a voluntary system for the following reasons: (a) a mandatory system was still at infant stage of development internationally at that time; (b) a mandatory approach may lead to over-notification and hence, notification fatigue; and (c) the lack of international standard on notification system may make multinational firms difficult to comply with. To take the lead, the Government has since 2008 required its departments to report breaches to PCPD "as soon as possible" and to affected individuals "as far as practicable".}
• Under the voluntary system, notification to PCPD, data subjects, law enforcement authorities or relevant regulators should be made when "real risk of harm is reasonably foreseeable in a data breach". To assist data controllers to notify, PCPD has issued a notification template and a guidance note containing a list of examples of harm such as personal safety threat. Yet to what extent they are considered meeting the threshold for notification would depend on the assessment by the data controllers. As to the notification timeframe, the note provides only that notification should be made "as soon as practicable after the detection of data breach." Yet it neither recommends a practicable timeframe nor a maximum allowable detection period.
• At a joint panel meeting on 14 November 2018, the Constitutional and Mainland Affairs Bureau updated that it was considering a mandatory notification regime but it also noted concerns over how data breach should be defined, the compliance capability and impacts on the operation costs of businesses. In September 2019, in its progress report on a motion on privacy to the Legislative Council, the Bureau agrees that introducing a mandatory notification mechanism could help strengthen the protection towards personal data. It has also highlighted a number of issues under considerations such as the notification threshold in terms of the type and scale of data leaked, and whether a notification timeframe should take into account assessment and investigation time.^{7Legend symbol denoting See Constitutional and Mainland Affairs Bureau (2019).}

Mandatory data breach notification in Australia

• Australia introduced a privacy protection regime in 1988 following the enactment of the Privacy Act (the "Act"). The existing mandatory data breach notification scheme ("DBNS") has only become a part of the Act requirements since 2017, replacing a voluntary system put in place since 2008. While it applies to all federal agencies and the private sector across the states and territories,^{8Legend symbol denoting The public sector agencies of states and territories in Australia are regulated by the respective local privacy laws. The Privacy Act also does not cover public universities and schools, and political parties as well.} the Act exempts small businesses with an annual turnover below A$3 million (HK$17.6 million)^{9Legend symbol denoting 9. The provisions of the Privacy Act were extended to cover the private sector in 2000. At that time, small businesses were excluded in order to gain widespread acceptance from the private sector, and to avoid additional compliance burdens on them. However, small businesses are still required to collect and retain customer, financial and transaction records under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. See Australian Law Reform Commission (2008).} unless they are credit providers (e.g. banks), private health care service providers, credit reporting bodies and handlers of tax file numbers. In addition, similar to Hong Kong, the Act does not give power to the Office of Australian Information Commissioner ("OAIC") to prosecute and impose fines.

Development of the mandatory notification system

• DBNS was proposed by the Australian Law Reform Commission in 2008. However, the federal government claimed at that time that more consultation on the matter was required over the proposal. As an interim measure, it just put in place a voluntary scheme. Yet, increasing personal breach incidents exerted more pressure on the government to take the matter expeditiously,^{10Legend symbol denoting The federal government began to consult the public about a mandatory system in 2012, and conducted a targeted consultation in 2013 on the detailed legislative model.} amid concerns of the business sector over the threshold for triggering notification and cost of compliance. In 2016, the Privacy Amendment (Notifiable Data Breaches) Bill was introduced to the Parliament and passed in 2017. During the public consultations and bill scrutiny, the following arguments for a mandatory system were put forward:
  
  

  (a)	Under and delayed reporting: although the number of voluntary reported cases has kept rising in recent years,11Legend symbol denoting The number of voluntarily notified breaches went up from 44 in 2008-2009 to 107 in 2015-2016. there may be under-reporting as entities try to avoid possible damages resulting from making public data breach incidents. Moreover, some may also delay reporting or deliberately covering up incidents;12Legend symbol denoting In one case, a major retailer in Australia only notified its customers and OAIC in 2014 about a data breach involving two million customers' personal data and credit card information stolen by hackers in 2011.
  (b)	Earlier remedy by affected individuals: data subjects affected by a breach can take prompt remedial actions like cancelling a credit card or changing password to avoid or minimise damages if they are notified early enough;13Legend symbol denoting A government report released in 2014 also suggested a link between increasing identify theft and data breaches, while it was reported by IDCARE, an Australian organization providing identity and cyber security support services, that personal data had been found put on sale in illicit online marketplaces. It was also estimated that at least a third of compromised records were further misused.
  (c)	Improving compliance: under a mandatory system, an entity is likely to more carefully reconsider what personal information is necessary to collect and how long it should be retained; and
  (d)	Level playing field: mandatory approach will allow a level playing field for businesses, eliminating inconsistency in handling data breaches.

Key designs of the notification system in Australia

• Compared to other jurisdictions like California of the United States and Europe, the mandatory notification system in Australia appears to be a moderate one, with a perceived higher threshold for notification and more flexible notification timeframe that help strike a balance between the need for transparency and compliance burden of the data controllers.^{14Legend symbol denoting For example, the threshold of notification (to individuals) in California does not require "harm" to be triggered as a result of the data breach, but the notification requirement generally applies to unencrypted electronic data only. The EU threshold is broader that it includes risks of harm to individual rights and freedoms.} The key design elements of the Australian model are as follows:
  
  

  (a)	Notification threshold: only an eligible data breach has to be notified. An eligible breach must satisfy the following conditions:15Legend symbol denoting There are also exceptions to notify certain breaches even though the three conditions are met. These include whether a notification may prejudice law enforcement matters or violate "secrecy provisions" under other legislation. (i) there is unauthorized access to, disclosure or loss of personal information held by an entity; (ii) this is likely to result in serious harm to one or more individuals from the viewpoint of a reasonable person;16Legend symbol denoting The initial draft of the bill for consultation had used the threshold of "real risk of serious harm". Yet the term was regarded as vague by the business sector. It was then replaced by "likely to result in serious harm", a term that the authorities believed would be of higher threshold and could avoid narrow interpretation that could lead to notification fatigue and create resources issues for the regulator. and (iii) the entity has not been able to prevent the likely risk of serious harm. The law on notifiable data breaches does not define "serious harm" which, however, may include serious physical, psychological, emotional, financial, or reputational harm, as stated in the explanatory memorandum of the law. Entities suffering from such breaches are advised to evaluate the risks of serious harm "holistically", with references to considerations of relevant matters such as the type and sensitivity of data breached, whether the data is encrypted, the person who obtains the data, the nature of harm, etc.
  (b)	Notification timeframe: an entity has to notify within 30 days from becoming aware of the grounds for suspicion that an eligible breach has occurred to complete an assessment. It must act expeditiously to complete the assessment and then notify as soon as practicable.17Legend symbol denoting This timeframe is less stringent than EU's requirement to notify the supervisory authority after having become aware of the breach within 72 hours. If the assessment goes beyond 30 days, the entity must document all reasonable and expeditious measures that have been taken, and explain the delay. It may also ask the privacy watchdog for time extension.
  (c)	Notification options and contents: the Australian rules require notification of eligible data breach to both the Commissioner of Information and affected individuals, regardless the type and scale of data breached.18Legend symbol denoting This is different from the EU requirement that notification to the supervisory authority is required when the breach is likely to result in a risk to rights and freedoms, but notification to individuals is required only if such risk of harm is considered high. In doing so, a data controllers must prepare a statement for the Commissioner, providing information on the identity and contact details of the data controllers, a description of data breach, the kind(s) of information involved in the breach, and the recommended steps for affected individuals to take to mitigate the likely damages. Similar information should also be provided for individual notification. As far as notification to individuals is concerned, an entity can either notify all individuals or only those individuals at risk, depending on whether it can reasonably identify those particular individuals. The latter option can avoid unnecessary distress to individuals, limit possible notification fatigue among the public, and reduce administration costs. If both options are not practicable, the entity should publish a copy of the above-said statement on its website for a period no less than six months or take other reasonable steps to publish it prominently on its website, social media or print advertisement. There is no restriction on the method of notifications, as long as it is reasonable. The privacy law also empowers the Commissioner to direct any entity to notify individuals, in case if a data breach only comes to the attention of the Commissioner or if the entity disagrees with the Commissioner whether a notification is required.
  (d)	Offshore application: the mandatory scheme also applies to overseas activities conducted by entities with Australian links, i.e. organizations incorporated in Australia, organizations conducting business or collecting and holding personal information in Australia. For entities disclosing personal information to overseas recipients (e.g. data held by an offshore service provider), they are required to ensure that the recipient will comply with the Australian privacy principles of the Act when handling that information; and are generally required to hold responsible for complying with the mandatory notification requirements in the event of a data breach.
  (e)	Penalty for non-compliance: a failure by an entity to meet the mandatory notification requirements is regarded as an interference with the privacy of an individual, for which the Commissioner may also apply to court for a civil penalty order. Such penalty ranges from a maximum fine of A$360 000 (HK$2.1 million) for an individual or A$1.8 million (HK$10.5 million) for a corporate.19Legend symbol denoting This is contrasted to EU, where the privacy authority can impose an administrative fine of up to €10 million (HK92.5 million) or 2% of the annual turnover of a company for failing to notify.

Effectiveness and issues of concern of DBNS

• In the first year of operation from April 2018 to March 2019, OAIC received a total of 1 132 notifications which comprised 964 eligible data breaches and 168 voluntary notifications defined as breaches not deemed eligible data breaches under DBNS. While the business sector had challenged the need for a mandatory notification regime during consultation, the number of reported eligible breach was 712% above the pre-mandatory scheme level and significantly outnumbered the original estimate of 200%, possibly supporting the earlier suggestion that there had been under-reporting of personal data breaches. In the first year, no entity was fined for violating the notification requirements.
• The mandatory scheme has also helped fill the data gap in overall data breaches in Australia, offering valuable insights into the scale and nature of the problem. For example, it was found that 60% of breaches were caused by malicious attack, 35% by human error and 5% by system fault, with the finance and health sectors being the most affected sectors, though breaches by the former sector were more likely to be due to human error.
• About 83% of the qualified reported cases affected less than 1 000 people each. However, 25% just affected one individual. Moreover, the most common form of information breached was contact information like email address. Compared to other sensitive information like credit card information, loss of contact information may not result in immediate or financial harm. As such, OAIC recognizes that there are challenges to data controllers to determine if loss of personal information warrants a serious harm. Apart from these, there was also confusion in the year over who should be responsible to notify in multi-party breaches, i.e. entities holding personal information jointly. OAIC later issued a specific guidance to clarify the responsibility of notification and to avoid duplication of notification.^{20Legend symbol denoting For example, there was a data breach incident of an online recruitment system provider which provides services to many clients from different sectors across the world. The incident has created confusion over whether it should be the provider or its clients to notify local privacy watchdogs and affected individuals. Moreover, the breaching entity was obliged under the UK rules to report its suspected breach earlier than would have been the case in Australia, highlighting the need for a proper response plan in a multi-jurisdictional breach.} According to OAIC's suggestion, the entity with the most direct relationship with the individuals affected by the data breach should notify the regulator of the data breach.
• As to the timeframe of notification, it was found that it took an average of 28.25 days for an entity to notify following a breach detection, which was broadly consistent with the 30 days maximum assessment period allowed. As to compliance cost, OAIC does not hold any figures of it. Yet a global data breach study showed that notification cost accounted for as small as 5% of the total cost of a data breach, and the notification costs in Australia has been on a slightly declining trend between 2010 and 2017.^{21Legend symbol denoting See Ponemon Institute (2017).}
• Overall speaking, OAIC believed that the mandatory requirements have driven many data controllers to improve their practices such as by development and implementing data breach response plans, improving security and privacy standards, and adopting data minimisation policies to reduce overall exposure. However, since the Privacy Act excludes many small businesses, the overall effectiveness of the system may be discounted. Moreover, the legal sector in Australia has expected that DBNS will accelerate the development of class actions over data breaches, by providing an additional source of evidence for seeking remedies. This may give rise to the need for businesses to increase the related liability insurance.

Concluding remarks

• Personal data breach as a result of cyber-attack, system failure or human error has given rise to grave public concern over data security and brought challenges to organizations holding a vast amount of personal information. Hence, it has become an international trend to mandate notification of personal data breach so that the affected individuals can promptly take mitigation measures. It could also prompt data controllers to rethink their personal data management regime. In Hong Kong, the Government is examining the introduction of a mandatory notification mechanism to help strengthen the protection of personal data.
• Australia implemented the mandatory notification regime in 2018 in light of growing incidents of personal data breach under the voluntary notification scheme. Its model is seen to be of a higher threshold of notification and more flexible notification timeframe. Despite that, there was a marked increase in notifications, which has offered valuable insights into the contemporary data breach problems. Yet, the review of the first year of operation indicates that there remain concerns and challenges about the assessment of a notifiable data breach, the responsibility for notification, and the overall scheme coverage.

Prepared by CHEUNG Chi-fai
Research Office
Information Services Division
Legislative Council Secretariat
20 November 2019

Endnotes:

1.	In the United States, the state of California was the first to implement such system in 2003. At present, all 50 states have enacted similar mandatory requirements. The Australian notification system came in force in February 2018 while the Canada's in November 2018. The United Kingdom also applies the General Personal Data Regulation ("GPDR") of the European Union ("EU") which has come into force since May 2018. Singapore is also moving towards mandatory notification while New Zealand is also expected to pass a bill in 2019 for the system.
2.	See Constitutional and Mainland Affairs Bureau (2019).
3.	During 2009-2018, the number of security incidents reported to the Computer Emergency Response Team Coordination Centre under the Hong Kong Productivity Council has increased by 10 times to 10 081. A third of these incidents were related to malware. During the same period, the number of "technology crimes" such as e-banking fraud and identity theft recorded by the police also increased from 1 500 to 7 800 cases.
4.	See Wong, Stephen (2018).
5.	Some entities including public bodies had been notifying PCPD of data breaches before the PDPO review in 2009. In 2010, PCPD reinforced the arrangement by issuing a guidance note and a template for notification. See PCPD (2010).
6.	During the public consultation of the review, a majority of views supported a voluntary system for the following reasons: (a) a mandatory system was still at infant stage of development internationally at that time; (b) a mandatory approach may lead to over-notification and hence, notification fatigue; and (c) the lack of international standard on notification system may make multinational firms difficult to comply with. To take the lead, the Government has since 2008 required its departments to report breaches to PCPD "as soon as possible" and to affected individuals "as far as practicable".
7.	See Constitutional and Mainland Affairs Bureau (2019).
8.	The public sector agencies of states and territories in Australia are regulated by the respective local privacy laws. The Privacy Act also does not cover public universities and schools, and political parties as well.
9.	The provisions of the Privacy Act were extended to cover the private sector in 2000. At that time, small businesses were excluded in order to gain widespread acceptance from the private sector, and to avoid additional compliance burdens on them. However, small businesses are still required to collect and retain customer, financial and transaction records under the Anti-Money Laundering and Counter Terrorism Financing Act 2006. See Australian Law Reform Commission (2008).
10.	The federal government began to consult the public about a mandatory system in 2012, and conducted a targeted consultation in 2013 on the detailed legislative model.
11.	The number of voluntarily notified breaches went up from 44 in 2008-2009 to 107 in 2015-2016.
12.	In one case, a major retailer in Australia only notified its customers and OAIC in 2014 about a data breach involving two million customers' personal data and credit card information stolen by hackers in 2011.
13.	A government report released in 2014 also suggested a link between increasing identify theft and data breaches, while it was reported by IDCARE, an Australian organization providing identity and cyber security support services, that personal data had been found put on sale in illicit online marketplaces. It was also estimated that at least a third of compromised records were further misused.
14.	For example, the threshold of notification (to individuals) in California does not require "harm" to be triggered as a result of the data breach, but the notification requirement generally applies to unencrypted electronic data only. The EU threshold is broader that it includes risks of harm to individual rights and freedoms.
15.	There are also exceptions to notify certain breaches even though the three conditions are met. These include whether a notification may prejudice law enforcement matters or violate "secrecy provisions" under other legislation.
16.	The initial draft of the bill for consultation had used the threshold of "real risk of serious harm". Yet the term was regarded as vague by the business sector. It was then replaced by "likely to result in serious harm", a term that the authorities believed would be of higher threshold and could avoid narrow interpretation that could lead to notification fatigue and create resources issues for the regulator.
17.	This timeframe is less stringent than EU's requirement to notify the supervisory authority after having become aware of the breach within 72 hours.
18.	This is different from the EU requirement that notification to the supervisory authority is required when the breach is likely to result in a risk to rights and freedoms, but notification to individuals is required only if such risk of harm is considered high.
19.	This is contrasted to EU, where the privacy authority can impose an administrative fine of up to €10 million (HK92.5 million) or 2% of the annual turnover of a company for failing to notify.
20.	For example, there was a data breach incident of an online recruitment system provider which provides services to many clients from different sectors across the world. The incident has created confusion over whether it should be the provider or its clients to notify local privacy watchdogs and affected individuals. Moreover, the breaching entity was obliged under the UK rules to report its suspected breach earlier than would have been the case in Australia, highlighting the need for a proper response plan in a multi-jurisdictional breach.
21.	See Ponemon Institute (2017).

References:

Australia
1.	Attorney-General's Department. (2014) Identity crime and misuse in Australia Key findings from the National Identity Crime and Misuse Measurement Framework Pilot.
2.	Attorney-General's Department. (2016) Serious Data Breach Notification.
3.	Australian Law Reform Commission. (2008) For Your Information: Australian Privacy Law and Practice.
4.	IDCARE. (2016) Submission to the Serious Data Breach Notification Consultation.
5.	Office of the Australian Information Commissioner. (2019a) Notifiable Data Breach (NDB) Scheme.
6.	Office of the Australian Information Commissioner. (2019b) Website.
7.	Parliament of Australia. (2013) Joint Committee on Intelligence and Security inquiry report.
8.	Ponemon Institute. (2017) Cost of Data Breach Study: Australia.
9.	Norton Rose Fulbright. (2017) The end of a long road - Mandatory data breach notification becomes law.
Hong Kong
10.	Constitutional and Mainland Affairs Bureau. (2019) Motion on "Keeping up with Technological Development and Enhancing the Protection of People's Privacy" at the Legislative Council meeting of 22 May 2019 Progress Report.
11.	GovHK. (2018) LCQ2: Enhancing information security and the protection for privacy of personal data.
12.	GovHK. (2019) Government notes PCPD report on Cathay Pacific data breach incident.
13.	Minutes of Meeting of the Panel on Constitutional Affairs. (2019) 18 March. LC Paper No. CB(2)1703/18-19.
14.	PCPD. (2010) Media statement: Privacy Commissioner Publishes Guidance Note on Data Breach Handling and the Giving of Breach Notifications.
15.	PCPD. (2019) Data Breach Incident Investigation Report: Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited.
16.	Report of the Bills Committee on Personal Data (Privacy) (Amendment) Bill 2011 of the Legislative Council. (2012) 30 May. LC Paper No. CB(2)2197/11-12.
17.	Wong, Stephen. (2018) Grooving Privacy Evolution with Law Reform and Data Ethics.
Others
18.	California Legislative Information. (2019) Civil Code Section 1798.29.
19.	EU GDPR.orgn. (2019) Website.
20.	ICO. (2019) GDPR One year on.
21.	Lexology. (2018) Dutch Authority fines Uber for violation data breach regulation.

---

^{Essentials are compiled for Members and Committees of the Legislative Council. They are not legal or other professional advice and shall not be relied on as such. Essentials are subject to copyright owned by The Legislative Council Commission (The Commission). The Commission permits accurate reproduction of Essentials for non-commercial use in a manner not adversely affecting the Legislative Council, provided that acknowledgement is made stating the Research Office of the Legislative Council Secretariat as the source and one copy of the reproduction is sent to the Legislative Council Library. The paper number of this issue of Essentials is ISE02/19-20.}