PRIMER: Hong Kong SAR’s proposed data privacy ordinance changes

Author: Karry Lai | Published: 11 Mar 2020
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.


Hong Kong SAR has plans to change its data privacy rules and ordinance after a number of high-profile data breach incidents at companies such as Cathay Pacific and VTech .

IFLR’s latest primer looks at how following changes in similar rules in the US and EU, Hong Kong SAR is planning to change its data privacy rules to better protect companies against data breaches and to provide more enforcement powers to the privacy regulator.

What are the proposed changes to the data privacy ordinance?

Under Hong Kong SAR’s proposed changes to its data privacy ordinance – which are being reviewed by the legislative council – companies will need to comply with mandatory breach notification mechanisms and put in place data retention policies. Data users will need to create clear policies with specified periods for the retention of relevant classes they hold but no specifics have been laid out. From an enforcement perspective, more sanctioning powers are being proposed for the jurisdiction’s privacy regulator. Additionally, regulation of data processors and disclosure by third parties has been proposed. The proposal calls for accountability of data processors in data retention, security and breach notification but what constitutes a data processor has not been decided.

Although international reforms such as the European General Data Protection Regulation (GDPR) have been a key driver in the need to discuss change, local factors and circumstances such as doxxing played a strong role as well. Doxxing refers to the publishing of information about an individual on the internet, a tactic that became popular during the 2019 protests in Hong Kong SAR.

"An overhaul of the personal data privacy ordinance (PDPO) is long overdue given the recent technological developments for companies to monitor, track, store and process personal data," says Jackson Poon, general counsel at Liquefy.

Dmitri Hubbard, Asia Pacific data privacy officer at BNP Paribas adds: "Up until now the PDPO has not implemented any compulsory breach reporting. The proposed changes anticipate that given the experience of EU regulators. We do not wish to go from a problem of underreporting to a problem of over reporting."

See also: GDPR panic is slowing

How should businesses prepare for the proposed changes?

One of the most challenging aspects of the proposed PDPO changes is the topic of mandatory breach mechanisms, according to Poon. This requires businesses – or the data user – to notify the privacy commissioner for personal data (PCPD) within five business days of discovering the data breach. It further provides a notification threshold that businesses/data users should only notify the PCPD where the data breach causes a real risk of significant harm to the data subject.

"It is challenging for small and medium entreprises (SMEs) to determine what constitutes a real risk of significant harm without more detailed guidelines," says Poon. If a business fails to report a data breach it will face heavy sanctions. The maximum fine being considered is roughly HK$178 million ($22.3 million), or four percent of the company’s global annual turnover in the preceding year, whichever is higher. 

"With such high fines and ambiguous guidelines, this may induce businesses to notify the PCPD of a breach even when unnecessary, and may strain the limited resources the business has," says Poon. "Secondly, the notification timeframe of five business days may be difficult for SMEs to prepare all the necessary documents for reporting, given the lack of resources."

Max Jackowski, former legal counsel at, agrees and says: "Significant organisational changes will be more challenging for businesses with considerable legacy databases. The current ordinance only requires data to be kept for as long as necessary whereas the proposed changes will require data users to communicate in their privacy policies on how long personal data will be retained." 

At a practical level, any material change to the definition of personal data will involve local firms needing to review and realign information lifecycles as additional situations will be included, according to Hubbard. Additionally, any compulsory breach reporting will need extra financial and human resources allocated to data protection within companies.

What are the controversial points?

Although mandatory data breach notifications are the trend in data privacy laws and for data subjects in particular, the mechanics of such provisions, however, will likely be hotly debated, according to Hoi Tai Leung, counsel at Ashurst. For instance, at what threshold does a material data breach become one that is notifiable? And how would that threshold be determined?

"Another question is when does notification have to occur to the PCPD and to the data subjects," says Leung. "Does one happen before the other, and does the regulator have any input into such decision?"

A further point is whether the regulator has the capacity to handle the number of notifications that will arise.

The increase in the commissioner's enforcement powers will also be interesting to note. "The PCPD has previously publicly stated that it would like to see an increase in its enforcement powers," says Leung. "The proposed change discusses potentially linking penalty amounts to a company's turnover which is a nod to the GDPR, and the PCPD being able to directly impose fines on data users for breaches, instead of having to firstly issue an enforcement notice and only being able to issue fines if that notice is breached."

Where do the proposed changes bring Hong Kong SAR compared to other jurisdictions?

While Hong Kong SAR has made a commitment to strengthen its data privacy laws, it has not fully taken advantage of the EU’s GDPR, according to Poon. For example, GDPR’s risk-based approach to accountability and governance requires data controllers to implement technical and organisational measures to ensure compliance and conduct data protection impact assessment for high-risk processing. However, Hong Kong SAR’s PDPO does not explicitly state the related accountability guidelines, nor has it proposed any amendments in this regard in its most recent review. 

Compared to the GDPR, a key right that has not been discussed is the right to erasure – or to be forgotten – which allows data subjects in certain circumstances to request the deletion of their personal data, says Jackowski. The right to be forgotten has also been implemented in California and Brazil.

"Other Asian countries such as Korea and India have also made drastic efforts to revamp their data privacy laws, and have mimicked the GDPR’s policies into their respective laws," says Poon. For example, Korea has brought in GDPR elements – such as legitimate interests and pseudonymisation – to the data protection law of Korea. India has created provisions based on the GDPR in areas such as individuals’ rights to data portability and data erasure, organisations’ obligations to adopt privacy by design, and extraterritorial application of the data protection law.

"Discussions about increasing fines and giving the local data protection authority the ability to issue administrative fines is an obvious gap when compared with the GDPR," says Hubbard. "It would bring a greater deterrent effect."

GDPR: non-EU companies ahead of EU counterparts

Traditionally, most Asian data regulators have not issued or had the power to issue large fines for data breaches. "Given the legislative agenda in many Asian countries this is likely to change in the next 24 months," says Hubbard. "It would be sensible for Hong Kong SAR to take the lead on this topic."

In terms of doxxing, Hubbard says that it is unclear whether the appropriate place for an anti-doxxing law is in a data privacy statute. For example, Singaporean law covers doxxing in the protection from its Harassment Act rather than the local data protection law.

Should the changes go further?

Although the proposed changes are a good start, they are far behind compared what is needed and could be a missed opportunity for the jurisdiction. With respect to the regulation of disclosure of personal data by other data subjects, the proposal does not go far enough to regulate how such data is obtained by third parties.

"The GDPR requires data controllers to notify data subjects on how they obtained personal data from third party sources," says Jackowski. "While the proposal is primarily concerned with cases of doxxing, Hong Kong SAR has the opportunity to go a step further to regulate data users who process personal data from third party sources, which will strengthen public confidence in organisations engaged with significant data processing." 

He adds that the proposal has not introduced any classification of data, such as the special categories of data within the GDPR. "Certain categories of data are deemed quite sensitive, such as medical records, details of sexual orientation and trade union membership," says Jackowski. "It is alarming that the proposal does not look at implementing such measures given the recent scandals of medical records being lost." 

Poon says that there are several crucial aspects surrounding data privacy and protection that have not been covered. For example, no guidelines have been proposed on regulating the use of sensitive data. With the increasingly widespread use of facial recognition technology and biometric data, there should have been at least some proposed general regulations regarding sensitive data.

He adds: "Furthermore, the extent to which the PDPO can specifically address and regulate doxxing is still unclear. The PCPD has no statutory powers to request the removal of doxxing contents from social media platforms or websites, nor powers to carry out criminal investigations and prosecution, which fail to deter social media platforms or websites from allowing doxxing content."

In addition, no amendments have been proposed on consent and accountability and governance, which are both paramount to determining the strength of data privacy laws. 

Should Asia adopt a GDPR style data privacy law?