CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The Personal Data (Privacy) Ordinance (Cap. 486)  (the "PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles outlining how data users should collect, handle and use personal data.

  • General Data Protection Regulation ("GDPR") (Algemene Verordening Gegevensbescherming)
  • The Dutch GDPR Implementation Act ("DGIA") (Uitvoeringswet Algemene verordening gegevensbescherming)
  • The DGIA implements the GDPR. The DGIA includes, for example, exceptions for the processing of special categories of personal data and data relating to criminal law matters and exceptions to the data subject’s rights and controller’s obligations. 
  • Dutch Telecommunications Act ("TA"), (Telecommunicatiewet)

The TA implements EU ePrivacy Directive 2002/58/EC and also includes provisions on unsolicited electronic communications and the use of cookies (and similar techniques). The TA also imposes several requirements on providers of public electronic communications networks and publicly available electronic communication services with regard to the processing of personal data.

2. Data protection authority

The Office of the Privacy Commissioner for Personal Data www.pcpd.org.hk

3. Anticipated changes to local laws

The legislation is due for amendment since its last substantive amendment in 2012.

The Constitutional and Mainland Affairs Bureau released LC Paper. No. CB(2) 512/19-20(03), a discussion paper seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486). The proposed changes follow proposals by the Privacy Commissioner for Personal Data, and include six proposed amendments:

  • Inclusion of a Mandatory Data Breach Notification Mechanism;
  • Requirement for retention policy and specified Data Retention Period; 
  • Provision of Sanctioning Powers to PCPD to impose administrative fines and raise relevant criminal fine levels; 
  • Regulation of Data Processors; 
  • Amending the Definition of Personal Data to cover information relating to an "identifiable" natural person; 
  • Regulation of Disclosure of Personal Data of Other Data Subjects to curb doxing;

The Collective Act Data Protection (Verzamelwet Gegevensbescherming) amends the DGIA and other laws related to data protection (such as article 3:17 of the Financial Supervision Act) on various topics and is currently in the preparatory phase.

4. Sanctions & non-compliance

Administrative sanctions:

N/A

Criminal sanctions:  

A summary of various offences and penalties under the Ordinance can be found at: https://www.pcpd.org.hk/misc/files/table2_e.pdf

Others:  

N/A 

Administrative sanctions:

Financial penalties are the primary sanction against the controller and the processor, thus, against the company.

  • Up to EUR 10m or up to 2% of the undertaking’s total annual worldwide turnover in the preceding financial year; or
  • Up to EUR 20m or up to 4% of the undertaking’s total annual worldwide turnover in the preceding financial year. 
Criminal sanctions:

N/A

Others:
  • Order for incremental penalty payments;
  • Processing prohibition;
  • Reprimand;
  • Warning.  

Please find an overview of the fines and sanctions imposed by the Dutch Data Protection Authority here.

5. Registration / notification / authorisation

There is no requirement for notification/registration/authorisation for processing personal data (i.e. no mechanism similar to that in UK Notification to process personal data - GOV.UK (www.gov.uk))

Formally appointed data protection officers must be registered with the Dutch Data Protection Authority (here).

6. Main obligations and processing requirements

Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: 

  • personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; 
  • data users are required to take all practicable steps to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement; 
  • data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; 
  • data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; 
  • data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and 
  • data users shall provide data subjects with the right to request access to and correction of their own personal data.

There are no substantive derogations from the GDPR.

7. Data subject rights

Data subjects are given the right to access and make correction to their data.

There are no substantive derogations from the GDPR.

8. Processing by third parties

No direct regulation on data processors.  However, data are required to adopt contractual means to ensure that data processors or sub-contractors adopt measures to ensure the safety of personal data.

There are no substantive derogations from the GDPR.

9. Transfers out of country

A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: 

  • the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date. 
  • The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
  • The data subject has consented in writing to the transfer;
  • The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
  • The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement. 

There are no substantive derogations from the GDPR

10. Data Protection Officer

N/A

There are no substantive derogations from the GDPR.

The DGIA provides that the data protection officer must maintain the secrecy of any information that becomes known to him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.

11. Security

There is no mandatory requirement.  However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.

There are no substantive derogations from the GDPR

12. Breach notification

There is no mandatory requirement, but a data breach may amount to a contravention of 

  • Data Protection Principle 4(1); and in Schedule 1 of the Ordinance;

The following action plan is recommended as practice to be adopted by data users: 

  • immediate gathering of essential information relating to the breach; 
  • contacting the interested parties and adopting measures to contain the breach; 
  • assessing the risk of harm; 
  • considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach.  For notifying the Commissioner, a “Data Breach Notification Form” can be used.

The data breach notification obligation vis-à-vis data subjects does not apply to financial companies as referred to in the Financial Supervision Act (Wet op het Financieel Toezicht).

13. Direct marketing

The data user must:

  • inform the data subject (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – this “consent” needs to be “an indication of no objection to the use or provision” and hence, silence or lack of response will not be deemed to be consent;
  • provide the data subject with the following information in relation to the intended use (i) the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used –  the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
  • provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – a data user can only elect a response channel that enables the data subject’s consent to be made in writing.

In summary, as referred in article 11.7 of the Telecommunications Act:

  • By fax, e-mail and SMS: prior consent required (opt-in).
  • By means of telephone or other means: allowed unless someone opted out. Also, be aware of the existence of the "do not call me register" (Bel-me-niet Register) and the "mail filter" (Postfilter).
  • There are a number of specific exceptions to the requirement of consent:
    • If the user is a legal entity or a natural person acting in the exercise of its/his/her profession or business, no prior consent shall be required for the transmission by means of electronic mail of unsolicited communications for commercial, idealistic, or charitable purposes:
      • if the sender when transmitting the communication makes use of electronic contact details intended and provided by the user and said contact details have been used in accordance with the purposes attached to said contact details by the user; or
      • if the user is based outside the European Economic Area and the rules regarding the sending of unsolicited communications in the country concerned have been followed.
    • A party that has acquired electronic contact details for electronic messages in the context of the sale of its product or service may use said data to transmit communications for commercial, idealistic, or charitable purposes with regard to its own similar products or services if, when the contact details were acquired, the customer was clearly and explicitly given the opportunity to object, free of charge and in a simple manner, to the use of said electronic contact details and, if the customer did not avail himself of said opportunity, he is offered the opportunity during every instance of communication, to object, on the same conditions, to the further use of his electronic contact data.   

14. Cookies and adtech

There are no specific requirements in relation to use of cookies.  

However, the use of cookies to collect personal data needs to be in compliance with Data Protection Principle 1(3) in Schedule 1 to the Ordinance that requires: 

  • the data subject is explicitly or implicitly informed, on or before collecting the data, of (i) whether it is obligatory or voluntary for him or her to supply the data; and (ii) where it is obligatory for him or her to supply the data, the consequences for him or her if he or she fails to supply the data; and 
  • he or she is explicitly informed: (i) on or before collecting the data, of (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of (A) his or her rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user.

As referred in article 11.7a of the Telecommunications Act:

  • Using cookies or similar techniques is only allowed if the user has been provided with clear and complete information in accordance with the GDPR and has given consent for the action concerned. However, this rule does not apply if:
    • the cookie is used for the sole purpose of carrying out communications over an electronic communications network;
    • the cookie is strictly necessary to provide an information society service requested by the user; or
    • the cookie is used to obtain information about the quality or effectiveness of a service provided, on the condition that this has only limited impact on the user's privacy.

15. Risk scale

Moderate

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

  • The most significant laws that cover cybersecurity matters include provisions under: 
  • Crimes Ordinance (Cap 200): (1) s.161 Access to computer with criminal or dishonest intent; and (2) s.60 Destroying or damaging property; 
  • s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106); 
  • Control of Obscene and Indecent Articles Ordinance (Cap. 390); 
  • Prevention of Child Pornography Ordinance (Cap 579); and 
  • The Unsolicited Electronic Messages Ordinance (Cap 593)

The Network and Information Systems Security Act ("NISSA", Wet beveiliging netwerk- en informatiesystemen), implementing NIS Directive (EU) 2016/1148.

2. Anticipated changes to local laws

There are no anticipated changes to local laws, although there has been more pressure to introduce laws against doxing

There are no anticipated changes to local laws.

3. Application 

It mainly criminalises conduct around unauthorised access to computer and disseminating obscene, child pornography and unsolicited electronic messages. 

The NISSA applies to:

  • "digital service providers" (within the meaning of the NIS Directive) with a main establishment in the Netherlands, excluding small and micro enterprises; and
  • designated "vital operators" in the Netherlands, divided into:
    • "operators of essential services" (within the meaning of the NIS Directive); and
    • operators of other services of which the continuity is of vital importance for Dutch society.

The designation of vital operators can be found in the Network and Information Systems Security Decree ("NISSD", Besluit beveiliging netwerk- en informatiesystemen).

Digital service providers not established in the EU must appoint a representative that acts on its behalf. The representative may be addressed with regard to the NISSA based obligations.

4. Authority

Information Commissioner’s Office www.ico.org.uk

The Cyber Security and Technology Crime Bureau (Hong Kong Police) 
https://www.police.gov.hk/ppp_en/04_crime_matters/tcd/tcd.html

The Communications Authority (for reporting spam) Communications Authority - Home (coms-auth.hk)

The competent authority for digital service providers is the Minister of Economic Affairs and Climate (Minister van Economische Zaken en Klimaat). The Radiocommunications Agency Netherlands (Agentschap Telecom, part of the Ministry of Economic Affairs and Climate) acts as supervisor.

With regard to energy and digital infrastructure, the competent authority is the Minister of Economic Affairs and Climate. The Radiocommunications Agency Netherlands acts as supervisor.

With regard to (i) transport and (ii) the supply and distribution of drinking water, the competent authority is the Minister of Infrastructure and Water Management (Minister van Infrastructuur en Waterstaat). The Human Environment and Transport Inspectorate (Inspectie Leefomgeving en Transport) acts as supervisor.

For banking and financial infrastructure, the competent and supervising authority is the Dutch Central Bank (De Nederlandsche Bank).

For the health sector, the competent authority is the Minister for Healthcare. The Health and Youth Care Inspectorate (Inspectie Gezondheidszorg en Jeugd) acts as supervisor.

5. Key obligations 

N/A – There is no prescribed obligation imposed on cyber users or operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)

NISSA 1 Some specific financial institutions designated by the Dutch Central Bank are exempted from part of the obligations referred to in this section. :

  • Digital service providers and operators of essential services must implement appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems and the possible impacts of security incidents. They must also implement appropriate measures to prevent and mitigate the impact of such security incidents;
  • Designated vital operators must notify the National Cyber Security Centre ("NCSC", part of the Ministry of Security and Justice), acting as Computer Security Incident Response Team "CSIRT") of:
    • (i) any incident with a significant impact on the continuity of the essential services,
    • (ii) any security incident in their network and information systems which may have serious adverse effects on the continuity of their service;
  • If an operator of an essential service uses a digital service provider, an incident at such digital service provider must be notified by such operator to the competent authority for the sector of such operator if the incident has a significant impact on the continuity of the service.
  • Digital service providers must notify the Minister of Economic Affairs and Climate (as competent CSIRT) and Radiocommunications Agency Netherlands (as competent authority) of any incident that may have serious adverse effects on the provision of their services.

6. Sanctions & non-compliance 

Administrative sanctions:

N/A

Criminal sanctions:

Hong Kong Police will enforce the provisions of the relevant Ordinances.  Penalties will range from a level 4 fine (HKD 25,000) to imprisonment for five years.

Others:

N/A

Administrative sanctions:
  • The competent authorities have several kinds of general investigative powers.
  • Fines can be imposed with a maximum of EUR 1m or EUR 5m depending on the violation.

NISSA based supervision and enforcement only applies to operators of essential services and digital service providers (e.g. not included are operators of other services of which the continuity is of vital importance for Dutch society).

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

No 

Yes. NCSC is the CSIRT for vital operators. NCSC is also the Point of Contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at the EU level.

The Dutch Ministry of Economic Affairs is the CSIRT for digital services.

8. National cybersecurity incident management structure

N/A

During a cyber crisis, the National Manual on Decision-making in Crisis Situation is applied (hyperlink included below). NCSC plays a key role in such cyber crises.

The National Digital Crisis Plan (hyperlink included below) is a cyber-specific elaboration of the National Manual on Decision-making in Crisis Situation.

9. Other cybersecurity initiatives 

  • Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, ebanking systems and artificial intelligence.
  •  Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
  • Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorised insurers must observe.
  • The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records. 
  • The Office of the Government Chief Information Office has issued guidelines on cybersecurity controls and measures applicable to various government offices and departments.

N/A

Portrait of Jonathan Chu
Jonathan Chu
Partner
Hong Kong (CMS CMNO - Lau, Horton & Wise LLP)
Portrait of Erik Jonkman
Erik Jonkman
Advocaat
Amsterdam
Portrait of Sanne Knopper
Sanne Knopper