Last edit by: kaka
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
https://infosecurity.cathaypacific.com/en_HK.html
If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
- ask for data that CX hold on you
- highlight specifically which data was lost
(there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
- http://www.cathaydatabreach.com
- http://www.classlawdc.com/2018/10/25/cathay-pacific-data-breach-class-action-investigation/
9.4 million passengers’ data stolen from CX
#241
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,759
If EU can whack a fine on a non-EU corporation like Marriott, can they whack a similar fine on CX (trading in EU)?
#242
FlyerTalk Evangelist
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.9MM, Marriott Gold, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 13,811
The extent of the CX data breach is very much unknown. If EC wants to rely on GDPR for fines, the data breach itself must have some relationship with Europe (this is why BA is doomed, but not necessarily Marriott).
If the data breach mostly involves the personal information of customers in Hong Kong, which sounds like the case here, then the EC will have no say on a domestic issue happened in Hong Kong.
So yes - this is primarily a PCPD issue, which you can guess what the PCPD will do.
#243
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,759
the data breach itself must have some relationship with Europe (this is why BA is doomed, but not necessarily Marriott).
If the data breach mostly involves the personal information of customers in Hong Kong, which sounds like the case here, then the EC will have no say on a domestic issue happened in Hong Kong.
If the data breach mostly involves the personal information of customers in Hong Kong, which sounds like the case here, then the EC will have no say on a domestic issue happened in Hong Kong.
#244
FlyerTalk Evangelist
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.9MM, Marriott Gold, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 13,811
#245
Ambassador, Hong Kong and Macau
Join Date: May 2009
Location: HKG
Programs: Non-top tier Asia Miles member
Posts: 19,759
#246
FlyerTalk Evangelist
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.9MM, Marriott Gold, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 13,811
#248
FlyerTalk Evangelist
Join Date: Aug 2009
Location: ZOA, SFO, HKG
Programs: UA 1K 0.9MM, Marriott Gold, HHonors Gold, Hertz PC, SBux Gold, TSA Pre✓
Posts: 13,811
#249
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 870
Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
#250
FlyerTalk Evangelist
Join Date: Aug 2002
Location: London
Programs: Mucci. Nothing else matters.
Posts: 38,644
But surely this would not stop a fine being enforced against the HK-based company? After all, the particular HK-based company in question has some rather valuable assets within the EU. From time to time, but for long enough on each occasion for them to be seized.
#251
Join Date: Jan 2016
Location: LON
Programs: BAEC
Posts: 3,910
Actually it does, and I have first hand experience of this. I will give you a scenario, GDPR cannot be enforced on an HK based company whose servers are in HK and which has no physical or other presence within the EU, simply because HK courts will not enforce EU laws on an extra-territorial basis.
Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
Now CX has operations and presence in the EU which includes the processing of information relating to citizens of EU members which takes place within those EU members. As with Marriott, an EU member state can well act proportionatly.
Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.
But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
#252
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 870
You are right and this is what I said.
#253
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 870
Agree in part with what you say Nicc HK - if a company operating overseas does not expect or solicit interaction with EU residents then they do not need to comply with GDPR although they probably should because the principles that are mandated by GDPR are a good thing to do for any personal data. Some more background reading on this here.
Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.
But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
Whether the law could be invoked against a HK company with no presence in the EU is another question, but the GDPR regulations are extra-terrestrial and apply globally.
But in the context of CX and Marriott then it definitely does apply, and to that extent it doesn't matter where the data resides.
It does raise interesting questions as to whether an EU member state citizen was affected but was not inside the EU at the time the infringement occurred?
I do apologise I do contracts and IPRs for a living, so these issues are directly relevant to my work and I appreciate the comments people write here for their different perspectives.
Last edited by Nicc HK; Jul 12, 2019 at 6:17 am
#254
Join Date: Sep 2012
Location: NW London and NW Sydney
Programs: BA Diamond, Hilton Bronze, A3 Diamond, IHG *G
Posts: 6,343
In the most extreme scenario CX could simply be barred from operating to the EU if it refused to pay any fine.
If CX did not operate in the EU, it could still fall afoul of the GDPR if it handled EU passengers' data improperly, but there would not be much recourse if it didn't pay.
This is akin to the case where a Danish citizen purchased Cuban cigars from Germany, but unfortunately the bank transfer went through US banks and was seized due to the US embargo. The US could not normally enforce its embargo outside the US, but the participants unwittingly involved the US and suffered for it.
If CX did not operate in the EU, it could still fall afoul of the GDPR if it handled EU passengers' data improperly, but there would not be much recourse if it didn't pay.
This is akin to the case where a Danish citizen purchased Cuban cigars from Germany, but unfortunately the bank transfer went through US banks and was seized due to the US embargo. The US could not normally enforce its embargo outside the US, but the participants unwittingly involved the US and suffered for it.