Skip to main content

Could Cathay Pacific Airways, Hong Kong’s flag carrier, become one of the first companies to face a hefty fine under the recently introduced GDPR regulations?

Following the revelation that the carrier fell victim to a prolonged hacking attack that affected millions of passengers, experts and other companies are waiting to learn exactly what lies ahead for the iconic airline in terms of regulatory enforcement.

On Wednesday during a Legislative Council of Hong Kong hearing addressing the issue, lawmakers grilled senior staff over the company’s handling of the incident. Cathay has faced increased scrutiny after the airline revealed in a written submission that the data breach had, in fact, lasted longer than previously stated.

“The incident is a crisis,” company chairman John Slosar was quoted as saying by Reuters. “It is the most serious one the airline has faced.” 

Under Hong Kong law, Cathay would likely face a penalty of HK$50,000 ($6,400) and receive an enforcement notice from the privacy commissioner for the data breach. Should the company be prosecuted under the European Union-issued GDPR regulations, which came into effect on May 25 and cannot be enforced retroactively, the penalty will be far harsher.

The EU regulations require companies report breaches to supervisory authorities within 72 hours, or face a maximum fine of 20 million euro ($23 million), or four percent of their annual worldwide turnover, whichever is higher.

TIMELINE IS CRITICAL

Paul Haswell, partner and technology specialist at Pinsent Masons, tells Asian Legal Business that because of the threat of EU regulatory action, the timeline of the data breach is critical. 

“They should be worried,” Haswell said, noting that should it be established that the airline lost data belonging to members of EU countries after May 25 “and didn’t do everything that was necessary, there is a chance they’ll be subject to a fine under the GDPR.”

“They need to make sure they’re absolutely clear about when this data was taken, what was taken,” he added.

“In Cathay’s favour, and in their defence, although they were late to come clean about the nature of the breach, they have been good about notifying everybody that’s affected. Not just that there’s been a breach but exactly what was compromised,” Haswell said. “But the trouble is the EU won’t care, if you’re late, you still lost the data. They’re still in a position where they can take action against you.”

The EU is not reluctant to impose fines, having pursued Microsoft and Google for data breaches in the past. “There’s every possibility they could be hit with a massive fine,” said Haswell of the Hong Kong carrier.

Reuters reported yesterday that the airline was working with 27 regulators in 15 jurisdictions to investigate the breach.

 

To contact the editorial team, please email ALBEditor@thomsonreuters.com.

Related Articles

Other News

Q&A with Edwin Northover, Debevoise & Plimpton LLP

by Asian Legal Business《亚洲法律杂志》 |

Debevoise & Plimpton LLP won the Insurance Law Firm of the Year award at the ALB Hong Kong Law Awards 2024, apart from being the sponsor of the Insurance In-House Team of the Year award. Edwin Northover, Asia-based corporate partner and head of the firm’s financial institutions and corporate practices in Asia, talks about the firm's recent achievements, trends in the insurance industry, and future outlook for insurance law in Hong Kong.

Other News

Kramer Levin and Herbert Smith Freehills plan latest law firm mega-merger

by Reuters |

U.S. law firm Kramer Levin Naftalis & Frankel and global legal giant Herbert Smith Freehills are planning to merge to create a firm with more than 2,700 lawyers, according to a joint statement on Monday.

Other News

Tokyo International makes Singapore debut with SE Asia in its sights

by Sarah Wong |

Japanese boutique Tokyo International Law Office (TKI) is set to establish its first overseas outpost with the opening of a Singapore office in January 2025, marking a significant milestone in the rapidly expanding firm's global strategy.