Read publication

6 Takeaways: What’s happened and what does it mean for businesses in Hong Kong?

1. Formal review and study of possible amendments to Personal Data (Privacy) Ordinance (PDPO)

As anticipated for some time, the Hong Kong Government is now formally reviewing and studying possible amendments to the PDPO jointly with the Office of the Privacy Commissioner for Personal Data (PCPD) aimed at strengthening the protection of personal data in Hong Kong.

The Constitutional and Mainland Affairs Bureau published a paper (LC Paper No. CB(2)512/19-20(03)) (Review Paper) for discussion at the Legislative Council Panel on Constitutional Affairs meeting on 20 January 2020.

Nothing has changed as yet: this is the start of a review process that will take some time before we see any specific proposals for legislative amendments to the PDPO.

2. Focus on six key proposals

The Review Paper does not propose a complete redraft of the PDPO. Instead, it focuses on six key proposals which we summarise in this update:

  1. mandatory data breach notification;
  2. requirement for a data retention policy;
  3. introducing the ability for the PCPD to impose direct administrative fines;
  4. regulation of data processors;
  5. expanding the definition of personal data; and
  6. regulating the disclosure of other data subjects' personal data.

Whilst the Review Paper proposes certain "GDPR-like" elements, many of the proposals are in response to specific data privacy issues in the digital age that have arisen locally in Hong Kong (in particular data security breaches and an increase in doxxing cases).

3. Greater powers for PCPD proposed

Of particular interest to Hong Kong businesses is the proposal for the PCPD to have more "teeth" and the ability to directly impose administrative fines "linked to the annual turnover of the data user": this follows the approach under the EU GDPR where regulators can issue a fine up to EUR 20 million or 4% of global annual turnover (whichever is higher).

The Government is also considering legislative amendments which would give the PCPD statutory powers to request the removal of doxxing content from social media platforms and websites, as well as the power to carry out criminal investigations and prosecution.

4. Increased compliance requirements if proposed changes come into effect

For businesses in Hong Kong who have not updated their privacy programmes to a higher global standard, they will have greater compliance requirements to meet (in particular on data breach and data retention) if the PDPO is amended to implement the changes outlined in the Review Paper. If the proposal to increase the PCPD's sanctioning and prosecution powers comes into effect, this would heighten the risk of privacy non-compliance for companies doing business in Hong Kong.

Businesses should monitor this area as it develops, as existing data governance policies and practices will need to be revisited if new requirements are introduced as a result of this PDPO review.

5. Next steps

The immediate next step is for the Government and the PCPD to work together to conduct a further in-depth study on concrete legislative amendment proposals and consult relevant stakeholders including the Legislative Council Panel on Constitutional Affairs.

There is currently no indicative timeline for tabling amendments and it is not yet clear when any formal amendments may take effect.

6. Will any other changes be proposed?

It remains to be seen if further proposals will be considered at a later stage to enhance other areas of the PDPO and introduce additional "GDPR-like" elements similar to those being considered or incorporated into the data privacy laws of other Asia Pacific economies.

The Review Paper indicates that the six proposals are the PCPD's "preliminary recommendations on PDPO amendments" and the present study focuses only on these amendments. Other areas such as an accountability obligation, a definition of sensitive data, increased rights of data subjects (e.g., data portability and the "right to be forgotten") and, in particular, cross-border data transfer (currently included in section 33 of the PDPO but not yet in force) do not feature in the proposals.

We will continue to monitor this area and provide an update as the Government's review of the PDPO develops and more concrete proposals and legislative amendments are announced.

Summary of six proposed amendments to the PDPO

  Proposed Amendment Summary
1 Mandatory Data Breach Notification Mechanism
  • Taking reference from the EU, Australia, New Zealand and Canada, a mandatory data breach notification mechanism is proposed which would require data users to notify the PCPD and relevant data subjects of data breach incidents.
  • A notification threshold of a "real risk of significant harm" is proposed: the factors the data user should take into account to determine whether a breach has reached that threshold (e.g. type and amount of data leaked, the security level of the data involved) are being considered.
  • Notification to the PCPD would need to be within a specific timeframe (e.g. as soon as practicable and, under all circumstances, in not more than five business days).
Data Retention Policy 

A requirement for data users to formulate a clear retention policy covering aspects such as:

  • maximum retention periods for different categories of personal data;
  • legal requirements which may affect the designated retention
    periods (e.g. regulations pertaining to taxation, employment and the medical profession); and
  • how the retention period is counted.
Sanctioning Powers 
  • Powers for the PCPD to impose direct administrative fines proposed, linked to the annual turnover of the data user.
  • Possibility of classifying data users of different scales according to their turnovers to match with different levels of administrative fines.
  • Reference is made to the maximum administrative fine that can be imposed under the EU GDPR: EUR 20 million or 4% of the company's global annual turnover in the preceding year (whichever is higher). 
Regulation of Data Processors 
  • Direct regulation of data processors by imposing legal obligations on them or sub-contractors, e.g. being required to be directly accountable for data retention and security, and to make notification to the PCPD and the data user upon being aware of any data breach. 
Definition of Personal Data 
  • Expanding the definition of personal data to include information that relates to an "identifiable" person, instead of just an "identified" person. 
Regulation of Disclosure of Personal Data of Other Data Subjects 
  • Introducing specific legislative amendments to address doxxing, such as conferring on the PCPD statutory powers to request removal of doxxing contents from social media platforms or websites, as well as powers to carry out criminal investigation and prosecution.
 
Explore More Insight
View All