Skip to main content

Could Cathay Pacific Airways, Hong Kong’s flag carrier, become one of the first companies to face a hefty fine under the recently introduced GDPR regulations?

Following the revelation that the carrier fell victim to a prolonged hacking attack that affected millions of passengers, experts and other companies are waiting to learn exactly what lies ahead for the iconic airline in terms of regulatory enforcement.

On Wednesday during a Legislative Council of Hong Kong hearing addressing the issue, lawmakers grilled senior staff over the company’s handling of the incident. Cathay has faced increased scrutiny after the airline revealed in a written submission that the data breach had, in fact, lasted longer than previously stated.

“The incident is a crisis,” company chairman John Slosar was quoted as saying by Reuters. “It is the most serious one the airline has faced.” 

Under Hong Kong law, Cathay would likely face a penalty of HK$50,000 ($6,400) and receive an enforcement notice from the privacy commissioner for the data breach. Should the company be prosecuted under the European Union-issued GDPR regulations, which came into effect on May 25 and cannot be enforced retroactively, the penalty will be far harsher.

The EU regulations require companies report breaches to supervisory authorities within 72 hours, or face a maximum fine of 20 million euro ($23 million), or four percent of their annual worldwide turnover, whichever is higher.

TIMELINE IS CRITICAL

Paul Haswell, partner and technology specialist at Pinsent Masons, tells Asian Legal Business that because of the threat of EU regulatory action, the timeline of the data breach is critical. 

“They should be worried,” Haswell said, noting that should it be established that the airline lost data belonging to members of EU countries after May 25 “and didn’t do everything that was necessary, there is a chance they’ll be subject to a fine under the GDPR.”

“They need to make sure they’re absolutely clear about when this data was taken, what was taken,” he added.

“In Cathay’s favour, and in their defence, although they were late to come clean about the nature of the breach, they have been good about notifying everybody that’s affected. Not just that there’s been a breach but exactly what was compromised,” Haswell said. “But the trouble is the EU won’t care, if you’re late, you still lost the data. They’re still in a position where they can take action against you.”

The EU is not reluctant to impose fines, having pursued Microsoft and Google for data breaches in the past. “There’s every possibility they could be hit with a massive fine,” said Haswell of the Hong Kong carrier.

Reuters reported yesterday that the airline was working with 27 regulators in 15 jurisdictions to investigate the breach.

 

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Related Articles

Other News

Corporate, trade and tax boutique Anagata Law Firm launches in Indonesia

by Nimitt Dixit |

Indonesia’s rapidly proliferating legal market has a new entrant as tax and trade attorney Riza Buditomo leaves the partnership at Armand Yapsunto Muharamsyah & Partners (AYMP) to launch Anagata Law Firm, which will focus on corporate, commercial, trade and tax work. 

Other News

Oon & Bazul partner trio depart to set up SG disputes boutique

by Asian Legal Business《亚洲法律杂志》 |

Three partners of Singapore’s Oon & Bazul, led by former commercial arbitration head Suresh Divyanathan, have left the firm to set up a new disputes-focused law firm called Dauntless Law Chambers.

Other News

SG: Helmsman launches IP, TMT practices with ex-Lee & Lee partner

by Asian Legal Business《亚洲法律杂志》 |

Singapore-based law firm Helmsman has launched new intellectual property (IP) and technology, media and telecommunications (TMT) practice groups with the appointment of Basil Lee as associate director.