Hong Kong SAR has plans to change its data privacy rules and
ordinance after a number of high-profile data breach incidents
at companies such as
Cathay Pacific and
IFLR’s latest primer looks at how following
changes in similar rules in the US and EU, Hong Kong SAR is
planning to change its data privacy rules to better protect
companies against data breaches and to provide more enforcement
powers to the privacy regulator.
What are the proposed changes to the data privacy
Under Hong Kong SAR’s
proposed changes to its data privacy ordinance –
which are being reviewed by the legislative council –
companies will need to comply with mandatory breach
notification mechanisms and put in place data retention
policies. Data users will need to create clear policies with
specified periods for the retention of relevant classes they
hold but no specifics have been laid out. From an enforcement
perspective, more sanctioning powers are being proposed for the
jurisdiction’s privacy regulator. Additionally,
regulation of data processors and disclosure by third parties
has been proposed. The proposal calls for accountability of
data processors in data retention, security and breach
notification but what constitutes a data processor has not been
Although international reforms such as the European General
Data Protection Regulation (GDPR) have been a key driver in the
need to discuss change, local factors and circumstances such as
doxxing played a strong role as well. Doxxing refers to the
publishing of information about an individual on the internet,
a tactic that became popular during the 2019 protests in Hong
"An overhaul of the personal data privacy ordinance (PDPO)
is long overdue given the recent technological developments for
companies to monitor, track, store and process personal data,"
says Jackson Poon, general counsel at Liquefy.
Dmitri Hubbard, Asia Pacific data privacy officer at BNP
Paribas adds: "Up until now the PDPO has not implemented any
compulsory breach reporting. The proposed changes anticipate
that given the experience of EU regulators. We do not wish to
go from a problem of underreporting to a problem of over
See also: GDPR panic is
How should businesses prepare for the proposed
One of the most challenging aspects of the proposed PDPO
changes is the topic of mandatory breach mechanisms, according
to Poon. This requires businesses – or the data user
– to notify the privacy commissioner for personal data
(PCPD) within five business days of discovering the data
breach. It further provides a notification threshold that
businesses/data users should only notify the PCPD where the
data breach causes a real risk of significant harm to the data
"It is challenging for small and medium entreprises (SMEs)
to determine what constitutes a real risk of significant harm
without more detailed guidelines," says Poon. If a business
fails to report a data breach it will face heavy sanctions. The
maximum fine being considered is roughly HK$178 million ($22.3
million), or four percent of the company’s global
annual turnover in the preceding year, whichever is
"With such high fines and ambiguous guidelines, this may
induce businesses to notify the PCPD of a breach even when
unnecessary, and may strain the limited resources the business
has," says Poon. "Secondly, the notification timeframe of five
business days may be difficult for SMEs to prepare all the
necessary documents for reporting, given the lack of
Max Jackowski, former legal counsel at Block.one, agrees and
says: "Significant organisational changes will be more
challenging for businesses with considerable legacy databases.
The current ordinance only requires data to be kept for as long
as necessary whereas the proposed changes will require data
users to communicate in their privacy policies on how long
personal data will be retained."
At a practical level, any material change to the definition
of personal data will involve local firms needing to review and
realign information lifecycles as additional situations will be
included, according to Hubbard. Additionally, any compulsory
breach reporting will need extra financial and human resources
allocated to data protection within companies.
What are the controversial points?
Although mandatory data breach notifications are the trend
in data privacy laws and for data subjects in particular, the
mechanics of such provisions, however, will likely be hotly
debated, according to Hoi Tai Leung, counsel at Ashurst. For
instance, at what threshold does a material data breach become
one that is notifiable? And how would that threshold be
"Another question is when does notification have to occur to
the PCPD and to the data subjects," says Leung. "Does one
happen before the other, and does the regulator have any input
into such decision?"
A further point is whether the regulator has the capacity to
handle the number of notifications that will arise.
The increase in the commissioner's enforcement powers will
also be interesting to note. "The PCPD has previously publicly
stated that it would like to see an increase in its enforcement
powers," says Leung. "The proposed change discusses potentially
linking penalty amounts to a company's turnover which is a nod
to the GDPR, and the PCPD being able to directly impose fines
on data users for breaches, instead of having to firstly issue
an enforcement notice and only being able to issue fines if
that notice is breached."
Where do the proposed changes bring Hong Kong SAR compared
to other jurisdictions?
While Hong Kong SAR has made a commitment to strengthen its
data privacy laws, it has not fully taken advantage of the
EU’s GDPR, according to Poon. For example,
GDPR’s risk-based approach to accountability and
governance requires data controllers to implement technical and
organisational measures to ensure compliance and conduct data
protection impact assessment for high-risk processing. However,
Hong Kong SAR’s PDPO does not explicitly state the
related accountability guidelines, nor has it proposed any
amendments in this regard in its most recent review.
Compared to the GDPR, a key right that has not been
discussed is the right to erasure – or to be forgotten
– which allows data subjects in certain circumstances
to request the deletion of their personal data, says Jackowski.
The right to be forgotten has also been implemented in
California and Brazil.
"Other Asian countries such as Korea and India have also
made drastic efforts to revamp their data privacy laws, and
have mimicked the GDPR’s policies into their
respective laws," says Poon. For example, Korea has brought in
GDPR elements – such as legitimate interests and
pseudonymisation – to the data protection law of
Korea. India has created provisions based on the GDPR in areas
such as individuals’ rights to data portability
and data erasure, organisations’ obligations to
adopt privacy by design, and extraterritorial application of
the data protection law.
"Discussions about increasing fines and giving the local
data protection authority the ability to issue administrative
fines is an obvious gap when compared with the GDPR," says
Hubbard. "It would bring a greater deterrent effect."
GDPR: non-EU companies ahead of EU
Traditionally, most Asian data regulators have not issued or
had the power to issue large fines for data breaches. "Given
the legislative agenda in many Asian countries this is likely
to change in the next 24 months," says Hubbard. "It would be
sensible for Hong Kong SAR to take the lead on this topic."
In terms of doxxing, Hubbard says that it is unclear whether
the appropriate place for an anti-doxxing law is in a data
privacy statute. For example, Singaporean law covers doxxing in
the protection from its Harassment Act rather than the local
data protection law.
Should the changes go further?
Although the proposed changes are a good start, they are far
behind compared what is needed and could be a missed
opportunity for the jurisdiction. With respect to the
regulation of disclosure of personal data by other data
subjects, the proposal does not go far enough to regulate how
such data is obtained by third parties.
"The GDPR requires data controllers to notify data subjects
on how they obtained personal data from third party sources,"
says Jackowski. "While the proposal is primarily concerned with
cases of doxxing, Hong Kong SAR has the opportunity to go a
step further to regulate data users who process personal data
from third party sources, which will strengthen public
confidence in organisations engaged with significant data
He adds that the proposal has not introduced any
classification of data, such as the special categories of data
within the GDPR. "Certain categories of data are deemed quite
sensitive, such as medical records, details of sexual
orientation and trade union membership," says Jackowski. "It is
alarming that the proposal does not look at implementing such
measures given the recent scandals of medical records being
Poon says that there are several crucial aspects surrounding
data privacy and protection that have not been covered. For
example, no guidelines have been proposed on regulating the use
of sensitive data. With the increasingly widespread use of
facial recognition technology and biometric data, there should
have been at least some proposed general regulations regarding
He adds: "Furthermore, the extent to which the PDPO can
specifically address and regulate doxxing is still unclear. The
PCPD has no statutory powers to request the removal of doxxing
contents from social media platforms or websites, nor powers to
carry out criminal investigations and prosecution, which fail
to deter social media platforms or websites from allowing
In addition, no amendments have been proposed on consent and
accountability and governance, which are both paramount to
determining the strength of data privacy laws.
Should Asia adopt a GDPR style data privacy