While Hong Kong has yet to enact specific legislation on cybercrime or cybersecurity, this will soon change with the announcement of the proposal to enact a new cybersecurity law during the Chief Executive's 2021 Policy Address ("2021 Policy . You also have the option to opt-out of these cookies. That said, section 25A OSCO provides a defence to a prosecution under s.25 OSCO if the victim notifies an authorised officer (i.e. A data processor can make technical decisions on how to implement a data users instructions regarding personal data, but cannot make any substantive decision without becoming a data user. DPP3 prohibits the use of personal data for any new purpose which is not the original purpose when collecting the data (or a related purpose), except where the data subjects express and voluntary consent has been obtained. The HKSAR government's proposal to enact new cybersecurity legislation and the Consultation Paper's five new proposed cybercrime offences ("New Cybercrime Offences") signify a shift towards adopting a strategy of enhanced protection from both criminal and regulatory perspectives. Authorities in Hong Kong are planning a new law regulating cybercrime, in a move that could lay the groundwork for China-style censorship of the city's internet. Further details on the proposed cyber legislation are provided below. A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO). If the PCPD finds a breach of the PDPO after conducting an investigation, it may issue a written enforcement notice requiring the data user to take remedial or preventive steps (s.50 of the PDPO). where the disclosure was required or authorised by law or a court order. The SFCs Code of Conduct for Persons Licensed by and Registered with the Securities and Futures Commission (last updated in December 2020) provides specific provisions relating to information security, including section 12.5 (requiring a licensed or registered person to report to the SFC immediately upon any material failure, error or defect in the operation or functioning of its trading, accounting, clearing or settlement systems or equipment) and section 18.5 (requiring a licensed or registered person to ensure the integrity and security of any electronic trading system it uses or provides to clients). Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is . Industrials, Manufacturing & Transportation, Sample cyberattacks: CEO fraud and ransomware, Hong Kong: Updates to cybercrime and cybersecurity laws. A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data users instructions will be carried out). The PDPO adopts the key definitions personal data, data subject, data user (not data controller), and data processor: There is no concept of sensitive personal data under the PDPO and there are no additional restrictions specifically imposed with respect to sensitive personal data. 25/1999, a hospital was found to have breached DPP1(3) by failing to take all reasonably practicable steps to bring the PICS to the attention of its private patients (finding that a notice displayed in the waiting room was not prominent enough). i The China Cyber Security Law. The PDPO therefore adopts an initial implied consent approach. As noted in question 1 above, the PCPD is currently considering a prescribed data retention period, and requirement for data users to have a data retention policy (likely to be supplemented by templates and guidelines published by the PCPD). Under the New Cybercrime Offences, such a scam would constitute offences of illegal access to programs or data, illegal interception of computer data, and illegal interference of computer data. 2. International Legal Framework for Cyber Security 2.1 Political Agendas and International Law Cyber security is now routinely cited and consistently placed on the top of political agendas. Selina has studied investigative reporting at the Columbia Journalism School. An officer authorised by the PCPD may, without warrant and with the use of reasonable force, stop, search and arrest any person whom the officer reasonably suspects to have committed doxxing-related offences under the PDPO. The law governs network security and cyberspace activities in the PRC. The move was announced on Wednesday during Chief Executive Carrie Lams last policy address of her current term, confirming earlier media reports. These cookies will be stored in your browser only with your consent. This relates to healthcare providers only. the purposes for which the personal data will be used; whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information; the classes of persons to whom personal data may be transferred or disclosed; if applicable, information about the use and/or provision of personal data for direct marketing; and. In addition to the general personal data protection framework under the PDPO, there are sector-specific personal data protection requirements imposed by some industry regulators (see question 28 below). Almost inevitably, your organization will experience a cybersecurity incident -- and with the environment evolving daily, you can't be too prepared for the aftermath. Whilst these Guidelines do not have the force of law, they are taken into account by the Insurance Authority when considering fitness and properness of the directors or controllers of authorised insurers to which the Guidelines apply, and non-compliance may impact upon this. The details that will define the policy effect and direction of the proposed laws will be: the proposed scope of terms such as CII operators. by way of background, china's cybersecurity law 1 for the first time raised the requirement of cybersecurity review for critical information infrastructure operators' (the " ciio ") activities of purchasing network products and services, which may influence national security. The PCPD has issued Guidance on Collection and Use of Biometric Data, including several recommendations on how to handle and keep biometric data in compliance with the PDPO and DPPs (including, for example, to conduct a privacy impact assessment prior to collecting biometric data, to encrypt biometric data both at rest and in transit, and to restrict access to biometric data to authorised persons on a need-to-know basis). Further information on health data is set out at question 28 below. There is no legal requirement under the PDPO to report security breaches to the PCPD. Several revisions in China's updated Cybersecurity Review Measures, in effect from February 15, 2022, focus on risks associated with data processing activities and the data security risks arising from Chinese entities listing overseas. There is no mandatory obligation in the PDPO for data users and data processors to keep records of their processing activities. The scammer would then gain access to the CEO's or the executive's email account, send emails to employees requesting money, and then slip into the payment flow to intercept payments from the employees. We are expecting further updates and guidance around cybersecurity and cybercrime legislation. The data subject should be informed of this right on the first occasion that the data user contacts the data subject for direct marketing purposes (s.35F of the PDPO). Yes. The Hong Kong national security law, officially the Law of the People's Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (HKSAR), [1] is a piece of national security legislation concerning Hong Kong. Using personal data for direct marketing purposes. She also covered the Umbrella Movement for AP and reported for a newspaper in France. The National Cyber Security Committee ("NCSC") is comprised of the Prime Minister of Thailand as the chairman, and directors from the government and the private sector that hail from areas that are of benefit to cybersecurity such as engineering, law and information technology. Personal data should be processed securely, only kept for as long as necessary and use of the data should be limited to or related to the original collection purpose. 2427356 VAT 321572722, Registered address: 188 Fleet Street, London, EC4A 2AG. Organisations should inform users of the nature of such third-parties, purpose and means of collection, retention period and whether such information collected would be further transferred to other parties by the third party; and. It will consider similar legislation elsewhere such as in mainland China, which implemented cybersecurity laws in 2017, and Macau, which brought in a law in 2019. US$1,300 US$1.3 million) and/or imprisonment for up to 6 months 5 years. The PCPD may conduct an investigation where it (i) receives a complaint on a possible breach of PDPO; or (ii) has reasonable grounds to believe that there may be a contravention of the PDPO (s.38 of the PDPO). This note provides an overview of the legal framework in Hong Kong as it relates to cybersecurity and cyber crime, focusing on what organisations can and must do to protect individuals data from attempted breaches, as well as the laws that criminals break in carrying out their attacks. If the data subject is a child and their consent is required for the collection of personal data, a parent or guardian may give the prescribed consent. While Hong Kong has yet to enact specific legislation on cybercrime or cybersecurity, this will soon change with the announcement of the proposal to enact a new cybersecurity law during the Chief Executive's 2021 Policy Address ("2021 Policy Address") and the issuance of a consultation paper on "Cyber-dependent crimes and jurisdictional issues" ("Consultation Paper") by the Hong Kong Law Reform Commission (HKLRC). As the organisation engages the third-party to collect or track user behaviour, it is the organisations responsibility to understand from the third-party what information is being collected and the means by which the information is collected. The past decade has seen a huge increase in the incidence of cyber crime in Hong Kong. Hong Kong's personal data protection law, which has not been significantly revised since its introduction in 1996, likely needs an update to be in line with the mainland's tougher standards.. to prevent any personal data being kept longer than is necessary for processing (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or use of the data (DPP4(2)). Cybersecurity. However, if there is a relationship of reward linking the payment and the commission of the offence, the payment may qualify under OSCO. See question 28 above. Part 8 of the PDPO exempts certain specified DPPs and provisions of the PDPO from applying to personal data held in specified circumstances, including (but not limited to): These exemptions operate as a defence for data users that fail to comply with the exempted requirements under the PDPO. The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). Please click on the frequently searched terms or enter keywords for an advanced search. So this is about China stepping in to ensure the city has a legal framework to deal. 2. The PCPD has issued non-mandatory Guidelines on Outsourcing the Processing of Personal Data to Data Processors. DPP4 requires data users to take all practicable steps to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. However, for the offences of illegal interference of computer data and illegal interference of a computer system, where the act is so grave that it endangers the lives of others, a sentence of life imprisonment may be imposed. the PCPD is of the opinion that an investigation is unnecessary. The Personal Data (Privacy) Ordinance (Cap. Reach out for general data protection regulation (GDPR) compliance, China cybersecurity law, security breach, data security and privacy, and penetration testing. CEO fraud is a sophisticated email scam where the attacker sends out phishing/spoofing emails impersonating a company's CEO or some other executive to trick employees into transferring money or providing confidential company information. Support HKFP |Code of Ethics |Error/typo? This has been exacerbated by the global pandemic, which has forced criminals online, with the number of cases in 2020 representing a 55% increase on the 2019 figure alone. The maximum penalty for an offence under the PDPO is a fine of HK$1 million and imprisonment for 5 years (depending on the provision breached). The Hong Kong Monetary Authority (HKMA) has issued several Circulars related to technology risk management to provide guidance and reminders in relation to the technological security requirements and controls to be observed by authorised financial institutions. This country-specific Q&A provides an overview of Data Protection & Cyber Security Law laws and regulations applicable in Hong Kong. There are certain legislative provisions relating to cyber crimes - including within the Crimes Ordinance, the. The PDPO contains specific provisions restricting cross-border transfers of personal data, but these have never been brought into force. There are also sector-specific guidelines, such as the Guideline on Medical Insurance Business, which advises that authorised insurers and licenses insurance intermediaries should at all times, exercise due care and diligence in collecting, handling, storing, using, transferring and erasing customers personal data and comply with the PDPO and its guidance. The PCPD encourages business to adopt data protection by design and has developed (jointly with the Singapore Personal Data Protection Commission) a Guide to Data Protection By Design for ICT systems. For example, in the collection of customers medical data and PII, and the engagement of private investigators in insurance claims. If personal data of website users is being collected, a PICS must be provided to data subjects (outlined under DPP1(3)). However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data see further question 7 below).
How To Catch Someone Snooping In Your Android Phone,
Jabil Circuit Sdn Bhd Website,
I Need A Mental Health Advocate,
Pie Jesu Cello Sheet Music,
How To Disable Hibernate Logs In Spring Boot,
Private Easement Agreement,
Curseforge Server Connection Error,
Spider Exterminators Near Me,
Rogue Lineage Minecraft Skins,