Law Firms: Be Strategic In Your COVID-19 Guidance [GUIDANCE] On COVID-19 and Business Continuity Plans. Extra-Territorial Effect: For the first time, . This includes where a data user contravenes the requirements of an enforcement notice. You also have the option to opt-out of these cookies. We'll assume you're ok with this, but you can opt-out if you wish. Unauthorised access to a computer by telecommunication: Under section 27A of the Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong) it is an offence to use telecommunications1 to affect a computer to obtain unauthorised access to any program or data held in a computer. CEO fraud is a sophisticated email scam where the attacker sends out phishing/spoofing emails impersonating a company's CEO or some other executive to trick employees into transferring money or providing confidential company information. the Hong Kong police) of the payment in advance and obtains consent, or if the victim notifies an authorised officer as soon as it is reasonable to do so after making the payment. The PCPD has a range of formal investigative powers, including power to enter premises for investigation with a warrant or with prior written notice (s.42 of the PDPO) and to require production of documents for the purpose of an investigation (s.44 of the PDPO). Hong Kong Advertisement. Ransomware is a form of malware designed to deny an organization access to their files by encrypting such files and demanding a ransom payment to regain access. Doxxing is the act of publishing private or identifying information about an individual on the internet, typically for malicious purposes. 2. International Legal Framework for Cyber Security 2.1 Political Agendas and International Law Cyber security is now routinely cited and consistently placed on the top of political agendas. The PDPO contains specific provisions restricting cross-border transfers of personal data, but these have never been brought into force. The extent or timetable of further reforms is not yet publicly known. DPP6 also provides a data subject with the right to: Part 5 of the PDPO provides detailed provisions regarding the manner and timeframe for compliance with data access and correction requests. Part 6A of the PDPO requires that data users must obtain explicit informed consent of a data subject before using the data subjects personal data for direct marketing or transferring the data to a third party for direct marketing. There are no minimum contract terms, or standard contractual clauses, required for processors of personal data. This has highlighted the need for more robust, updated and comprehensive cyber legislation in Hong Kong. The introduction of the New Cybercrime Offences will provide the law enforcement agencies, and hence entities/individuals impacted by cybercrimes, with enhanced tools to pursue the perpetrators. The Cybersecurity Law of the People's Republic of China, ( Chinese: ) commonly referred to as the Chinese Cybersecurity Law, was enacted by the National People's Congress with the aim of increasing data protection, data localization, and cybersecurity ostensibly in the interest of national security. This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in The PDPO does not use the definition data controller. Under the New Cybercrime Offences, ransomware would be considered an offence of making available or possessing a device or data for committing a crime. The rapid development in technology has brought about an increasing number of cyberattacks and cybercrimes in recent years, resulting in significant challenges for law enforcement and also to the cybersecurity of critical information infrastructures (CIIs). There is no definition of sensitive personal data under the PDPO, although the PCPD uses the term in its guidance. The past decade has seen a huge increase in the incidents of cyber crime in Hong Kong. As companies pivot toward a digital business model, exponentially more data is generated and shared among organisations, partners and customers. Hong Kong, found on the south coast of China, the country is one of the two Special Administrative Regions in the Republic of China. The PDPO adopts the key definitions personal data, data subject, data user (not data controller), and data processor: There is no concept of sensitive personal data under the PDPO and there are no additional restrictions specifically imposed with respect to sensitive personal data. Individual data privacy rights can be enforced by either: Yes. This has highlighted the need for more robust, updated and comprehensive cyber legislation in Hong Kong. Australia: Data Protection & Cyber Security Law, Brazil: Data Protection & Cyber Security Law, China: Data Protection & Cyber Security Law, Germany: Data Protection & Cyber Security Law, Greece: Data Protection & Cyber Security Law, India: Data Protection & Cyber Security Law, Ireland: Data Protection & Cyber Security Law, Italy: Data Protection & Cyber Security Law, Mexico: Data Protection & Cyber Security Law, Morocco: Data Protection & Cyber Security Law, Pakistan: Data Protection & Cyber Security Law, Portugal: Data Protection & Cyber Security Law, Romania: Data Protection & Cyber Security Law, Singapore: Data Protection & Cyber Security, South Korea: Data Protection & Cyber Security Law, Sweden: Data Protection & Cyber Security Law, Switzerland: Data Protection & Cyber Security Law, Thailand: Data Protection & Cyber Security Law, The Netherlands: Data Protection & Cyber Security, Turkey: Data Protection & Cyber Security Law, UAE: Data Protection & Cyber Security Law, United Kingdom: Data Protection & Cyber Security Law, United States: Data Protection & Cyber Security Law. If a website deploys third-party cookies, regardless of whether any personal data is involved, it should state clearly what kind of information the cookies collect, to whom the information may be transferred and for what purposes. No. It passes a security assessment organized by the Cybersecurity Administration of China (CAC); . collection of personal data when handling mobile phone service applications, maintenance of customers service accounts and relevant retention/change of customers personal data etc. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions. The DPPs also outline data subjects rights to access and make corrections to their personal data. This can prove difficult in practice since class actions are not permitted in Hong Kong and individual losses may not be sufficient to justify a data subject bringing a claim. Copyright 2022 Baker & McKenzie. Biometric data falls within the definition of personal data for the purposes of the PDPO, both in the form of physiological data with which individuals are born and behavioural data developed by an individual after birth. This relates to healthcare providers only. the offering, or advertising of the availability, of goods, facilities or services; or. It recommends that Hong Kong courts should have jurisdiction where there is a nexus to Hong Kong (e.g., where the victim is from Hong Kong or where damages are incurred in Hong Kong). A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO). Hong Kong has its own data protection rules which are not affected). The PCPD has also issued guidance on personal data collection and use in certain scenarios, including by employers, schools, in certain industries (such as mobile service operators, property management, banking and insurance), and for certain types of personal data (such as biometric data). Data processors are not directly regulated under the PDPO. The Hong Kong Police Department maintains a resource page for 'Cybersecurity and Technology Crime', including a compendium of relevant legislation on computer crimes. As noted in question 20 above, there are no restrictions on online tracking for advertising or marketing purposes. See further details on this below. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in South Korea. In particular, the PDPO does not target other data-related cybercrimes, such as data theft and the theft of confidential information or trade secrets. Long before the Cybersecurity Law took effect, China had already made some efforts to strengthen information security. The Content is not offered as legal or professional advice for any specific matter. the PCPD, who carries out investigations upon data subjects complaints on possible breaches of their rights in handling their personal data; or. All summaries of the laws, regulations and practice are subject to change. China requires classification of data into general, important and core categories. Inform users of the types of information that are being tracked and whether any third party is tracking their behavioural information; Offer users a way to opt out of the tracking; and. CAC extends cybersecurity review to Hong Kong IPOs China is set to require PRC companies undergo a cybersecurity review before listing in Hong Kong on national security grounds. The PDPO does not require organisations to appoint a data protection officer or other similar officer, although the PCPD recommends that organisations implement a Privacy Management Programme including the appointment of a responsible person to oversee compliance with the PDPO. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. Therefore, there is a risk that a ransom payment may be considered proceeds of an indictable offence if it was paid in the knowledge that it was a bribe paid to obtain a decryption key for the release of data. The nature of the data and the damage that could result from unauthorised or accidental access, processing, erasure, loss, or use; Any physical security measures available for the equipment storing personal data; Any measures for ensuring the integrity, discretion, and competence of those with access to the data; and. Examples of CII include water, electricity, coal supply, communication networks, transport services and financial institutions. This trend has been exacerbated. The proposal came a few days after the cybersecurity regulator launched reviews into the data collection practices of three Chinese tech companies that recently listed in the U.S.: Didi Chuxing,. The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). You can change your mind at any time by visiting our cookie policypage. The law governs network security and cyberspace activities in the PRC. Having secured a compliant Legislative Council (LegCo) via the rigged elections of December 19, 2021, China's central government will likely take additional steps in 2022 to ensure its complete control over Hong Kong. Hong Kong PDPO Compliance and Cybersecurity Read Time: 5 min. The details that will define the policy effect and direction of the proposed laws will be: the proposed scope of terms such as CII operators. However, for the offences of illegal interference of computer data and illegal interference of a computer system, where the act is so grave that it endangers the lives of others, a sentence of life imprisonment may be imposed. The Hong Kong national security law will have implications for privacy, cybersecurity, data, and trade issues. Organisations may need to appoint a DPO or representative under any other laws to which their activities may be subject (such as PRC law).
Filter Array Based On Another Array Python, What Is Biodiversity Class 7, Concrete House Construction Cost, Homemade Aloe Vera Face Wash For Daily Cleansing, Dominic Garcia Montrose Co, Solaredge Error Codes, Inflatable Travel Mattress Topper, Razer Tomahawk Atx Radiator Support,