The Personal Data (Privacy) (Amendment) Bill 2021 (“Bill”) has gone through the third reading and has been passed by the Legislative Council on 29 September 2021 with some changes discussed below. For a general overview of the contents of the Bill, please see our newsletter setting out the key provisions of the Bill here.
The only change that was proposed and implemented was in relation to the defence provisions in connection with a cessation notice. The proposed section 66O(2)(b)(iv) in the original Bill provided that it is a defence for a person charged with an offence under the proposed section 66O(1) (non-compliance with a cessation notice) to establish that it was not reasonable to expect the person to comply with the cessation notice because there was a risk of incurring a civil liability arising in contract, tort, equity or otherwise.
It was subsequently reported by the Bills Committee that such defence had not been adopted in other Hong Kong legislation, and accordingly, an amendment was proposed such that the defence mentioned above would be deleted and replaced with an immunity provision akin to those found under the Securities and Futures Ordinance or the Financial Reporting Council Ordinance where a person who complies with a cessation notice served on the person would not incur any civil liability, whether arising in contract, tort, equity or otherwise, to another person only because of that compliance. The rationale behind this amendment was to ensure on the one hand that cessation actions are taken swiftly without delay and, on the other hand, that recipients of cessation notices will be protected from potential civil liability arising from compliance with the cessation notice.
Other than the changes to the defence and immunity provisions above, the Bill was passed without any further amendments. That said, based on the report published by the Bills Committee, it is useful to note that while the Privacy Commissioner would have the power to serve cessation notices on overseas service providers which are able to take the cessation action in relation to a subject message, it was clarified that (a) the Privacy Commissioner will generally serve a cessation notice on the relevant individual or entity (such as the operator of an online platform operator) who is able to take cessation action; (b) a cessation notice will not be served on the individual employees of the Hong Kong subsidiary of a non-Hong Kong company if they are unable to take cessation action; and (c) in extreme cases, it may be possible to request an internet service provider to block access to the website concerned from Hong Kong.
With the passing of the Bill by the Legislative Council, the Bill is expected to be gazetted as official law on the 8th of October 2021 (Friday), and we expect further guidance from the Privacy Commissioner to be published to assist the public in understanding the amendments.