News & Insights

Reform to Hong Kong’s data protection law finally on the horizon. Watch this space!

6 Key Reform Directions

After many years of discussion, action to reform Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) has been gaining momentum as the Hong Kong Government and the Privacy Commissioner (“Commissioner”) endeavour to update the PDPO in line with international standards and to address new challenges to data protection amidst the rapid development of information and communication technologies.

The reform proposals are at a preliminary stage and no draft bill is available yet.  However, the Constitutional and Mainland Affairs Bureau of the Government (“CMAB”) and the Commissioner have issued a consultation paper and sought feedback from members of the Legislative Council (“LegCo”) at the LegCo Panel on Constitutional Affairs meeting on 20 January 2020.  6 key directions for reform have been proposed:

(1)   Establishing a mandatory mechanism for data breach notification;
(2)   Strengthening obligations on personal data retention;
(3)   Increasing the enforcement powers of the Commissioner;
(4)  Introducing direct regulation of data processors;
(5)   Amending and expanding the PDPO’s definition of “personal data”; and
(6)  Strengthening regulation of the improper disclosure of personal data of other data subjects

Please see the below table for our high-level summary and commentary on the key reform proposals.

What Happens Next?

The CMAB and the Commissioner have expressed their eagerness to move forward quickly with the reform proposals, and have indicated that no public consultation will be conducted.  A motion calling for public consultation was not passed at the 20 January meeting and currently, there is no concrete timetable as to when specific amendments will be put forward.  Meanwhile, it is expected that further in-depth studies and consultation with relevant stakeholders will take place beforea draft bill will be formulated.  As with any law reform and legislative processes, it will take some time before actual changes to the PDPO will come to fruition.  However, stay tuned for our further updates!

Key Takeaway for Data Users and Data Processors

It is clear that, in line with global trends and practices, the burden of data protection and privacy compliance in HK will increase and continue to be one of the most important areas of compliance for all companies.  In particular, the calling for direct regulation of data processors for the first time in the history of the PDPO, means that data processors in HK will need to plan ahead and review their existing practices in preparation for compliance.

Some of the proposals in the consultation paper are clearly influenced by the European General Data Protection Regulation (“GDPR”) (e.g. direct regulation of data processors, mandatory data breach notification mechanism, and strengthening the Commissioner’s enforcement powers).  It is too early to tell what exact compliance burden will ultimately be placed on data users and data processors in HK.  If the reforms do adopt GDPR-like provisions, multinational and international corporations doing business in HK, and larger HK companies already having business abroad, are likely to be accustomed to complying with more stringent regimes.  It will be the smaller businesses data users and data processors in HK that may find it more of a burden to prepare for such additional requirements.  Companies are advised to watch this space to monitor further developments.

There has been significant public and regulatory concern over data security and lack of mandatory and timely breach notification arising from recent major data-related incidents from the private and public sectors including the hacking of Cathay Pacific’s IT systems which resulted in unauthorised access to personal data affecting approximately 9.4 million passengers.  The Commissioner issued an enforcement notice against Cathay last year noting that although there is currently no statutory requirement to notify the public of data breach under the PDPO, Cathay could have notified affected passengers of the suspicious activity once detected and advised them earlier of the appropriate steps to meet their legitimate expectation.  Large-scale data breaches involving significant pools of consumers’ data, voters’ data and medical data, loss or theft of electronic devices of government bodies, data security incidents with mobile apps and online services, and doxxing, which has been prevalent during the protests in HK, have undermined the trust and confidence of the general public and consumers in the data protection and security measures taken by the private and public sector.

In this digital age, data security, transparency and accountability on data protection should always be at the forefront of data users’ and data processors’ business and legal compliance strategy.  It is good practice for data users and data processors to conduct regular audits and reviews of their existing data protection practices and policies to identify and address legal compliance gaps, and to have in place a plan to act quickly in case of any security or data breach.  The latest proposals from the Commissioner and the CMAB are a timely reminder to do this.

It is interesting to note that the consultation paper has been silent on some topical issues that have been on the law reform radar for years, including, e.g., regulation of cross-border personal data transfer and introduction of a specific definition of “sensitive” personal data (e.g. biometrics data, ethnicity, race, sexual orientation, religion and political affiliation) in the PDPO.   However, we expect that further reforms on these issues are on the horizon as well.  In particular, the Commissioner indicated at the LegCo meeting that his office has plans to release updated guidance materials on the long-dormant Section 33 relating to cross-border data transfer, so stay tuned for our further updates!


Summary of key PDPO reform directions

Reform direction  CMAB and Commissioner’s proposal  Things to keep watch
Establish mandatory mechanism for data breach notification 
  • Establish a mandatory mechanism for notification of any data breach (including data security breach leading to unlawful or accidental destruction, alteration, loss, unauthorized disclosure of, or access to personal data) that have a “real risk of significant harm” as soon as practicable and, under all circumstances, in not more than five (5) business days.
  • Some LegCo members have expressed concern that the proposed threshold of “real risk of significant harm” is ambiguous and should be clarified.
  • Further details to be formulated by the CMAB and Commissioner, including, (i) the exact scope of data breach that would fall within the scope of this mandatory mechanism, (ii) the notification threshold, (iii) the timeframe for notification and rectification of breach, and (iv) the exact content and mode of notification to be made to the Commissioner and the affected data subjects.
  • The Commissioner plans to provide templates and guidance materials in due course in alignment with this proposal.
Strengthen obligations on personal data retention
  • Practically difficult to mandate a uniform data retention period (as each case will turn on its own facts in light of the diversity in the nature and types of personal data and the myriad of different purposes that may be involved).
  • Clarify and supplement the PDPO’s existing data protection principles with the new requirements on data users to (i) formulate a clear data retention policy and (ii) notification of such policy to data subjects, to enhance accountability and transparency of data users’ practices on protecting and handling personal data.
  • Further details to be formulated by the CMAB and Commissioner on amending the PDPO’s existing data protection principles 2 and 5 to reflect this new requirement.
  • The Commissioner plans to provide templates and guidance materials in due course in alignment with this proposal.
Increase enforcement powers of the Commissioner
  • There are two main directions on this particular issue for further deliberation: (1) raising the levels of fines for existing criminal offences on breach of the Commissioner’s enforcement notice; and (2) introducing new administrative fines and direct sanctioning powers of the Commissioner for contravention of the PDPO.
  • The objectives of these proposed reforms are to enhance the deterrent effect and to more properly reflect the severity of the offences under the PDPO.
  • Further details to be formulated by the CMAB and Commissioner, including, (i) the exact scope of such sanctioning powers, (ii) classification of scales and levels of criminal and/or administrative fines, (iii) the mechanism and threshold for administrative fines, and (iv) the legal due process and appeal mechanism against the Commissioner’s decisions under the administrative fine system.
  • In terms of administrative sanctions, the CMAB and Commissioner indicated that they are exploring the feasibility of introducing a GDPR-like system, with an administrative fine linked to data user’s annual turnover, and the classification of data users into different scales according to their turnover.
  • Some LegCo members have expressed concern over the inadequacies of the Commissioner’s current enforcement powers, and called for further checks and balance between the enforcement powers of the Police and Commissioner under the criminal and administrative sanction systems for more effective and efficient enforcement under the PDPO.
Introduce direct regulation on data processors
  • Recognize the pressing need for increased direct regulation of data processors to enhance data security, and to ensure accountability, governance and control of data users’ outsourcing and data processing activities from both data users and data processors.
  • Introduce new regime in the PDPO for direct regulation of data processors, including placing direct legal obligations on data processors (and their sub-contractors) to, amongst other things, be directly accountable for data retention and data security, and handling data breach notifications.
  • Further details to be formulated by the CMAB and Commissioner on this new regime of direct regulation data processors and the legal obligations to be imposed.
  • If implemented, the other key directions for reform affecting data users (including mandatory data breach notification, personal data retention obligations, and the Commissioner’s increased enforcement powers) would likely apply to data processors as well.
Amend and expand PDPO’s definition of “personal data”
  • Amend and expand the PDPO’s existing definition of “personal data” to cover not only information that relates to an “identified” person, but to also cover information relating to an “identifiable” person, in order to better satisfy public expectations in light of the prevalent use of data analytics, profiling and tracking technologies for identifying individuals.
  • Further details to be formulated by the CMAB and Commissioner.
  • Some LegCo members have expressed concern over the lack of legal definition of “sensitive personal data” (including biometrics data like facial recognition, fingerprint, palm print, voice print/ voice authentication, retinal scans, etc.) in the PDPO to enhance personal data protection in light of the of increased use of artificial intelligence, facial recognition and other similar tools and technologies in private and public sectors for tracking and identification of individuals.
Strengthen regulation of improper disclosure of personal data of other data subjects
  • Directions for proposed reform on this particular issue under consideration include, e.g., (i) introducing legislative amendments to specifically address doxxing behaviour, (ii) conferring further statutory powers on the Commissioner to request the take-down/removal of doxxing contents from social media platforms, websites and other online platforms, (iii) enhancing the relevant criminal investigation, prosecution and enforcement powers under the PDPO.
  • The CMAB indicated in the consultation paper that it is currently studying how to amend/enhance the PDPO to curb doxxing behavior more effectively, as well as to strengthen the existing criminal offence under section 64 of the PDPO for the improper disclosure of personal data of other data subjects.  However, the CMAB and Commissioner have yet to release any further details.
  • Some LegCo members have expressed concern over the inadequacies of the Commissioner’s current enforcement powers, and called for further checks and balance between the enforcement powers of the Police and Commissioner under the PDPO.


Want to know more?

Contact Charmaine Koo or Amy Chung.

Related Services and Sectors:

Intellectual Property

Portfolio Builder

Select the legal services that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)