Legal update: Potential changes to the Personal Data (Privacy) Ordinance
In this snapshot legal update, we report that on 20 February 2023, the Privacy Commissioner for Personal Data (“PCPD”) reported plans to put forward amendments to the Personal Data (Privacy) Ordinance (“PDPO”) in 2023. The PCPD’s target is to present concrete proposed amendments and consult with the Legislative Council Panel on Constitutional Affairs in the second quarter of 2023.
The proposed amendments will address:
| Proposed amendments | Current regime |
| Establish a mandatory data breach notification mechanism. | There is no statutory mandatory data breach notification requirement. Data users are encouraged under a guidance note issued by PCPD in June 2020 to notify the affected data subjects, the PCPD and other relevant parties in response to a data breach. |
| Require data users to formulate a data retention policy setting out how personal data is to be retained. | There is no statutory requirement that data users should have a data retention policy. |
| Empower the PCPD to impose administrative fines. | The PCPD has the power to conduct investigations regarding breaches of the PDPO, issue enforcement notices and, in limited cases, institute prosecutions. However, the PCPD has no power to impose administrative fines. |
| Introduce direct regulation of data processors. | Data processors are not directly regulated under the PDPO; only data users are. The data user is directly liable for the conduct of the data processor as the principal. It is for the data user to take steps to monitor the data processor’s conduct and prevent the data processor’s non-compliance with the PDPO. |
These changes are consistent with proposals announced in January 2020 [see our report here].
The Report on the Work of the Office of the PCPD in 2022 can be found here.
Pádraig Walsh, Tara Chan and Jane Du
If you would like to discuss any of the matters raised in this article, please contact:
Pádraig Walsh
Partner | [email protected]
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.