Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
6 Key Reform Directions
After many years of discussion, action to reform Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) has been gaining momentum as the Hong Kong Government and the Privacy Commissioner (“Commissioner”) endeavour to update the PDPO in line with international standards and to address new challenges to data protection amidst the rapid development of information and communication technologies.
The reform proposals are at a preliminary stage and no draft bill is available yet. However, the Constitutional and Mainland Affairs Bureau of the Government (“CMAB”) and the Commissioner have issued a consultation paper and sought feedback from members of the Legislative Council (“LegCo”) at the LegCo Panel on Constitutional Affairs meeting on 20 January 2020. 6 key directions for reform have been proposed:
|Establishing a mandatory mechanism for data breach notification;
|Strengthening obligations on personal data retention;
|Increasing the enforcement powers of the Commissioner;
|Introducing direct regulation of data processors;
|Amending and expanding the PDPO’s definition of “personal data”; and
|Strengthening regulation of the improper disclosure of personal data of other data subjects
Please see the below table for our high-level summary and commentary on the key reform proposals.
What Happens Next?
The CMAB and the Commissioner have expressed their eagerness to move forward quickly with the reform proposals, and have indicated that no public consultation will be conducted. A motion calling for public consultation was not passed at the 20 January meeting and currently, there is no concrete timetable as to when specific amendments will be put forward. Meanwhile, it is expected that further in-depth studies and consultation with relevant stakeholders will take place beforea draft bill will be formulated. As with any law reform and legislative processes, it will take some time before actual changes to the PDPO will come to fruition. However, stay tuned for our further updates!
Key Takeaway for Data Users and Data Processors
It is clear that, in line with global trends and practices, the burden of data protection and privacy compliance in HK will increase and continue to be one of the most important areas of compliance for all companies. In particular, the calling for direct regulation of data processors for the first time in the history of the PDPO, means that data processors in HK will need to plan ahead and review their existing practices in preparation for compliance.
Some of the proposals in the consultation paper are clearly influenced by the European General Data Protection Regulation (“GDPR”) (e.g. direct regulation of data processors, mandatory data breach notification mechanism, and strengthening the Commissioner’s enforcement powers). It is too early to tell what exact compliance burden will ultimately be placed on data users and data processors in HK. If the reforms do adopt GDPR-like provisions, multinational and international corporations doing business in HK, and larger HK companies already having business abroad, are likely to be accustomed to complying with more stringent regimes. It will be the smaller businesses data users and data processors in HK that may find it more of a burden to prepare for such additional requirements. Companies are advised to watch this space to monitor further developments.
There has been significant public and regulatory concern over data security and lack of mandatory and timely breach notification arising from recent major data-related incidents from the private and public sectors including the hacking of Cathay Pacific’s IT systems which resulted in unauthorised access to personal data affecting approximately 9.4 million passengers. The Commissioner issued an enforcement notice against Cathay last year noting that although there is currently no statutory requirement to notify the public of data breach under the PDPO, Cathay could have notified affected passengers of the suspicious activity once detected and advised them earlier of the appropriate steps to meet their legitimate expectation. Large-scale data breaches involving significant pools of consumers’ data, voters’ data and medical data, loss or theft of electronic devices of government bodies, data security incidents with mobile apps and online services, and doxxing, which has been prevalent during the protests in HK, have undermined the trust and confidence of the general public and consumers in the data protection and security measures taken by the private and public sector.
In this digital age, data security, transparency and accountability on data protection should always be at the forefront of data users’ and data processors’ business and legal compliance strategy. It is good practice for data users and data processors to conduct regular audits and reviews of their existing data protection practices and policies to identify and address legal compliance gaps, and to have in place a plan to act quickly in case of any security or data breach. The latest proposals from the Commissioner and the CMAB are a timely reminder to do this.
It is interesting to note that the consultation paper has been silent on some topical issues that have been on the law reform radar for years, including, e.g., regulation of cross-border personal data transfer and introduction of a specific definition of “sensitive” personal data (e.g. biometrics data, ethnicity, race, sexual orientation, religion and political affiliation) in the PDPO. However, we expect that further reforms on these issues are on the horizon as well. In particular, the Commissioner indicated at the LegCo meeting that his office has plans to release updated guidance materials on the long-dormant Section 33 relating to cross-border data transfer, so stay tuned for our further updates!
Summary of key PDPO reform directions
|CMAB and Commissioner’s proposal
|Things to keep watch
|Establish mandatory mechanism for data breach notification
|Strengthen obligations on personal data retention
|Increase enforcement powers of the Commissioner
|Introduce direct regulation on data processors
|Amend and expand PDPO’s definition of “personal data”
|Strengthen regulation of improper disclosure of personal data of other data subjects
Want to know more?
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at firstname.lastname@example.org.
Tel: +852 2825 9211