Change is not coming: Further possible improvements to privacy protection in Hong Kong


Almost a year ago, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to personal data privacy law in Hong Kong. There were six key proposals, but also some omissions. In the final of his series looking at the proposed changes, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt discusses some changes that are not coming.

The missed opportunity

The Privacy Commissioner has actively promoted principles of accountability and the adoption of privacy management programmes. The principle of accountability is a core principle that can trace a lineage back to 1980 when the OECD Privacy Guidelines were published. It is now enshrined in many legislative regimes around the world. A key part of accountability is to identify a person in an organization who is tasked with the responsibility of overseeing privacy management programmes – the data protection officer. In many jurisdictions, this role is given a statutory basis. But not in Hong Kong, and there is no proposed change to this.

In the EU, the role, function and authority of the data protection officer is set out in the GDPR. These involve obligations and duties which again are prescribed by the GDPR. The duties primarily revolve around overseeing effective privacy policies within the business and ensuring there is proper accountability for privacy obligations within the business. There are important duties that apply to data protection officers in relation to enforcement actions. The data protection office is the designated person to liaise with the competent supervisory authority in respect of enforcement or investigation matters. The position is similar in Singapore.

A data protection officer in Hong Kong is, effectively, a title. It does not signify a special status under the Personal Data (Privacy) Ordinance, or any statutory mandate or authority. Any particular authority will be a matter for the organisation itself and what it chooses to grant.

This is a missed opportunity. A statutory role for a data protection officer is a key component of accountability. The introduction of this change would encourage the adoption of privacy management programmes by a broader range of businesses, and provide a dedicated point of communication for the Privacy Commissioner with those businesses (and not just for the purpose of enforcement).

Don’t hold your breath

The Personal Data (Privacy) Ordinance was passed in 1995 and took effect from December 1996 – but not for section 33. This is the statutory provision that is intended to regulate personal data transfers outside Hong Kong. It has been on the statute books, but not in force, for 24 years. But don’t hold your breath. There is no news of its effective implementation as part of the coming slate of updates.

Many modern data protection laws have a statutory backed framework to guide businesses on the protection of personal data collected from data subjects that is then transferred to another jurisdiction. This is particularly important in circumstances where the other jurisdiction may have less protection for personal data. Usually, the framework involves an adequacy regime, in which certain jurisdictions are considered “adequate” and providing at least equivalent protection for personal data. This facilitates the transfer of personal data between those white listed countries. The framework would usually also involve recommendations on contractual provisions to include in data transfer arrangements, and other best practices to follow for ongoing review. This is the approach adopted by the GDPR. Hong Kong is out of step on this.

Nonetheless, it would not be true or fair to say that no protection applies to personal data that is transferred from Hong Kong, or that no guidance is available. Many of the data protection principles set out in the Personal Data (Privacy) Ordinance will influence and affect data transfers from Hong Kong. There are clear requirements in respect of data processors. The Privacy Commissioner has published commendable non-binding guidance on international data transfers.

Still, there has been no announcement about any imminent introduction of section 33.

Happening elsewhere

GDPR trumpeted the so-called individual right of data subjects to be forgotten. This is the right for a data subject to require a data controller/user to delete the personal data records for the data subject. This is not among the proposals for change in Hong Kong. The position will remain that, upon informing a data subject of the uses for his personal data, the data user may continue to use the personal data for as long as necessary for those purposes. These are based on principles of transparency, data retention and data minimization. The data subject may access the personal data records, and require their correction. However, a data subject has no right to require deletion of the personal data – and this is not changing.

Another individual data subject right that is common elsewhere is the right of portability. A right of portability allows a data subject to make a request to a data controller/user to transfer his personal data to a third party. So, the data subject would not need to provide fresh personal data to a third party, but instead would be entitled to have that personal data given directly to the third party. This is particularly useful in banking and financial services for consumers. The right of data portability exists in other places. It exists in the EU, and it is about to be brought into being in Singapore. There is no proposal to introduce a right of portability in Hong Kong.

Closing thoughts

In any proposal for change, there are always items on the wish list that do not make the final cut. This does not detract from the importance of the proposed changes that will be enacted. Those changes are very positive signs of progress. It is an indication though that the story of personal data protection is an evolving narrative, and the pace of change is quickening. We will see change in data protection laws soon in Hong Kong. There will be further scope for progress in the future, and it may not take many years for that to come about.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.