After the Cathay Pacific breach last year, the Hong Kong privacy regulator, the Privacy Commissioner for Personal Data (PCPD) has committed to compliance investigation into the airline.
Last year, it took the airline six months to own up to breach that affected over 9 million customers.
However, in addition to the compliance investigation, there have also been calls to for a mandatory breach reporting regime in Hong Kong.
Hong Kong Baptist University Lecturer Angus Young said that calls for a mandatory data regime predated the Cathay Pacific breach.
“The privacy commission did say themselves that because of the EU’s directives you know came into effect they wondered also whether to consider following the EU’s model.”
He added that what the breach did do is act as a reminder to companies that there is an international dimension compliance.
However, uneven the regulatory framework makes global compliance challenging.
Dr. Young warned against regulators just picking the highest standard so that they would comply with everything because the implementation and the cost of compliance will be costly and difficult.
“Even though privacy is highly valued, not every jurisdiction or country would treat privacy the same way, it not just what the government it is also the people who might not be so keen on having high levels privacy for other various reasons.”
The other issue of going for the highest-level privacy regulation might have an impact on foreign investment which might challenge the country's free-market approach
Dr. Young said that a clear direction around data protection will be that conversation shifting just data protection to data security.