MANDATORY DATA BREACH NOTIFICATION : ITS ROLE IN PROTECTING PERSONAL DATA

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Original languageEnglish
Pages (from-to)87-112
Number of pages26
Journal / PublicationJournal of International and Comparative Law
Volume10
Issue number1
Publication statusPublished - Jun 2023

Abstract

Data protection, an important aspect of the right to privacy, ensures that information about people is used fairly and properly. Among the regulatory measures that have been adopted to safeguard personal data is the requirement that individuals affected by a data breach be informed promptly, enabling them to act quickly and effectively to protect themselves from harm. At the same time, the existence of a duty to notify individuals affected by a data breach incentivises data users to adopt robust measures against data breaches. Many jurisdictions adopt a mandatory data breach notification system; this article examines the two leading notification models, the United States and EU models. It takes Hong Kong as a case study where there is only a voluntary system of notifying the Privacy Commissioner of any data breach in certain specified circumstances. It evaluates the operation of Hong Kong’s voluntary notification system and examines the current moves towards adopting a mandatory notification system. It examines justifications for mandatory notification and how the notification mechanism works and concludes that mandatory notification is an indispensable element of an effective regulatory system. © 2023, Sweet and Maxwell-Thomson Reuters. All rights reserved.

Research Area(s)

  • Data breaches, data breach response plan, data protection principles, General Data Protection Regulation (EU), mandatory notification of data breach, Personal Data Protection Ordinance (HK), unauthorized access to personal information, US law and policy on notification