by Bryane Michael
Another extra-territorial law is coming to town: the GDPR – or General Data Protection Regulation from the European Union. The Regulation joins a bevy of laws from other countries that can get you in trouble right here in Hong Kong.
Before, all you had to do was pay a bribe, manipulate securities markets or set up an international cartel before US federal prosecutors came to your front door. Yes, you read that correctly – US. Now the EU joins in with its own extra-territorial law – or law that covers activities in foreign jurisdictions… like Hong Kong.
Hong Kongers so far have had little to fear from exposing private information online. The government only carried out five prosecutions under the Personal Data (Privacy) Ordinance up to 2016 – for cases involving complaints here in Hong Kong. That number may increase dramatically if the Privacy Commission for Personal Data works with EU authorities by helping to collect fines imposed by EU authorities.
Worse yet, Hong Kong companies won’t be allowed to hold data from European companies unless Hong Kong gets “white listed.” And our companies cannot send data to the EU without adding wordage to contracts that the EU approves. Fines can range from HK$195 million to 4% of world-wide profits (depending on which value is higher).
While the general news media has ignored the GDPR, Hong Kong’s legal community has been abuzz with GDPR-related flutter. Businesses will need to appoint a data protection officer. Hong Kong-listed companies merely communicating in a European language online may be exposed to the wrath of privacy watchers.
Most of the time, the worst case scenario involves getting a letter from an EU privacy commissioner. Yet, when combined with other laws, Hong Kong’s listed companies working abroad may face lawsuits from basically anyone unhappy that a website shows or uses their information.
Until now, most Hong Kongers did not need to worry about the long arm of foreign law. Sure, China might have practised “extraordinary rendition” from time to time. Authorities in places like the UK can make public statements about the way Hong Kong’s judiciary should work. But extra-territorial law has typically been reserved for vexing international crimes.
The US has been busting Hong Kong linked companies for participating in corruption for a while now. In fact, the US has been engaged in so much extra-territorial crime-busting, that some, like the Japanese, call it excessive. Ironically, the EU has not made up its mind about whether to pursue laws most of us agree should apply across borders extra-territorially – like competition law. And suddenly comes the GDPR.
The GDPR represents something more important for Hong Kong than just more regulation. Most Hong Kong companies will, maybe after a couple of years, follow the GDPR, even though its is more stringent than the Data Protection Ordinance. And why not? Why risk it?
Most legal analysts think that other countries will follow the EU and basically copy the GDPR in their own law. China has its own Cybersecurity Law – and even more stringent Information Technology-Personal Information Security Specification — representing a regulatory race to the bottom. The Specification, in particular, requires all kinds of encryption and James Bond-style encoding of customers’ and others’ information.
The point is this. Even though Hong Kong supposedly writes its own laws, more and more of our law will come from abroad, either through extra-territorial enforcement or through our own companies’ market-driven desire to comply with the most stringent regulations around. While Hong Kong continues to work out its “One Country, Two Systems” formula toward 2047 – know that one of those systems may partly come entirely from outside China.
How can we talk about Hong Kong law, or self-determination, when so much law now comes from abroad? No jurisdiction has independence these days – leading to “many systems” in practice. Like the GDPR, it’s something none of us really talk about.