INTERNATIONAL
33
Protecting Data in the Clouds Quentin Wong
Introduction
O
n 1 September 2014, sensitive images of Hollywood celebrities stored on Apple’s iCloud service were leaked onto the Internet overnight. Although Apple denied there had been an intrusion into its systems, doubts remain over the security of files stored on cloud services. Incidents of this type are indeed not unprecedented, and they bring to our attention a pressing issue: do current statutes provide a satisfactory regulatory framework for the protection of cloud data? The Hong Kong Regime In Hong Kong, data privacy issues are governed by the Personal Data (Privacy) Ordinance (Cap .486) (PDPO). It contains six Data Protection Principles (DPP), among which Principle 4 places a duty on any entities that store client data to ‘take all practicable steps to ensure personal data… held by a data user [is] protected against unauthorized or accidental access.’ Any individual who suffers damage due to violation of the DPP is entitled to claim compensation from the offending party under s.66 PDPO. Such complaints are filed with the Office of the Privacy Commissioner for Personal Data (the Commissioner), which will then instigate inspections and serve enforcement notices to relevant parties. Despite having in place an ordinance dedicated to the issues of data privacy, the current statutory framework is insufficient to effec-
tively protect cloud data. First of all, the DPPs are expressed as statements of principles with no concrete legal definitions. It therefore becomes difficult to ascertain the exact circumstances under which liabilities would be levied in cases of a cloud services provider’s negligence. Secondly, the deterrent effects of the PDPO are limited. The Commissioner refers cases to law enforcement only after noncompliance with its enforcement letters. Even in case of a serious breach, data provider is given a one-off chance to correct their mistakes in accordance with the enforcement notices. S.66 PDPO further allows the offending data provider to raise a defence in civil proceedings by proving that it has exercised due diligence for data protection. As a result, the plaintiff may have considerable difficulty in disproving that the data provider had exercised the requisite standard of care, particularly because related evidence is controlled by the data provider. The availability of and the difficulty to disprove such defence further diminish the deterrence effects of the Ordinance against data providers.
cloud data leakages. Among other mandates, it requires all companies with more than 250 employees to hire a data protection officer, whose sole role is to set up and comply with proper data protection procedures. On the deterrent front, common law jurisdictions, namely the UK and Australia, have considered attaching civil or criminal liabilities to negligence in handling private data. Conclusion The Hong Kong Law Reform Commission last visited the issue of data protection and privacy in 2004. Given the increasing volume of data uploaded on to cloud data providers from individuals and corporations, there is a real need to update and strengthen Hong Kong’s regime of recourse against data breaches. In light of the iCloud nude photo scandal, it is timely for the Commission to conduct a review and propose a combination of preventive and deterrent measures to safeguard data privacy.
Developments outside of Hong Kong Recognising the need for reform, other jurisdictions have moved forward on both the preventive and deterrent fronts. Within the European Union, the General Data Protection Regulation, set to be adopted later this year, provides a set of regulations for the prevention of HKSLG · FALL 2014 · ISSUE 5