Change is coming: An update on proposed changes to the Personal Data (Privacy) Ordinance


2023-03-07 UPDATE: Please see our overview of potential changes at:

Two major data breach incidents in 2018 involving Cathay Pacific and TransUnion are now driving long overdue legislative change to personal data privacy protection in Hong Kong. On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to the law in Hong Kong. This is the first step in a process of consultation and engagement that will lead to legislative reform. Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews and assesses the proposed changes.

What changes are proposed?

There are six key proposals:

  1. Introduce a mandatory data breach mechanism under which any data breach having a real risk of significant harm must be reported to the Privacy Commissioner within five business days.

  2. Require data users to adopt a written policy governing data retention in which the data user specifies retention periods according to the different categories of data it holds.

  3. Grant the Privacy Commissioner administrative fining powers.

  4. Bring data processors under the direct regulation of the Privacy Commissioner so that data processors are directly accountable for data retention and security.

  5. Broaden the definition of personal data so that it can capture digital means of tracking an identifiable person.

  6. Grant the Privacy Commissioner powers to require removal of doxxing content from online media, and additional investigative and prosecution powers.

What are the positive points about the proposals?

It’s all positive. The world has changed since the last reforms to the privacy rules in Hong Kong. In 2012, the primary concern was about the collection of personal data, and old-world means of using and processing that personal data. Since then, the rapid development of big data, artificial intelligence and related technologies have created new privacy risks for which the current framework is not fit for purpose.

At the time of its introduction in 1997, Hong Kong was at the vanguard of personal data protection. However, the legislation has not kept apace with global trends. Specifically, the EU General Data Protection Regulation created a new gold standard for personal data protection. Data nowadays has value and meaning if it moves. Given the global nature of data use, global standards for those who wish to be at the global table of commerce must trend towards GDPR. Hong Kong needs to catch up.

Each of these six proposals is overdue. The absence of a mandatory data breach requirement in Hong Kong has been an Achilles’ heel for some time. A notable feature of the Cathay Pacific data breach was that the incident was first discovered on 13 March 2018, but was ultimately notified to the Privacy Commissioner for the first time on 24 October 2018. This was a voluntary notification, as there was no mandatory breach requirement under Hong Kong law.

The absence of real fining and enforcement powers has often resulted in the mistaken perception of the Privacy Commissioner as a light touch regulator. Within one month of the Cathay Pacific investigation report, the UK Information Commissioner issued an intention to fine British Airways under GDPR regulation. The contrast was striking. Cathay Pacific was issued an enforcement notice, but no fines (as the Privacy Commissioner does not have that power). British Airways were given notice of intention that it could be fined £183 million. Fining power is not the be-all and end-all, but it is a key part of the framework. It has been missing in Hong Kong.

Other proposals reflect changes in the digital world in which we now live. Cybersecurity incidents are not just for big government and big business. They are a risk for all. The longer data is held, the more the risk of a breach, and the greater the harm done. Requiring data users to commit to specific data retention periods gives credence to the general principle that personal data is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. Also, in the past outsourcing to data processors was unusual; now it is the norm.

The broadened expansion of the definition of personal data is interesting. This should mean that data that does not directly identify named persons but could still help identify them, will be protected. This will sweep into the regulatory net online and device identifiers like IP addresses, cookies, and device IDs, location data, user names, and pseudonymous data. This is a real necessity in the surveillance capitalist world we now live in.

These proposed changes represent a good response to recent data breach incidents in Hong Kong, global regulatory developments, and to changes in our current digital world.

What could be better?

The proposed changes are good. Privacy advocates will wish they are better.

Here are some points that could be included in the legislative reform, but are not:

  1. Introduction of a specific category of sensitive personal data (such as race, ethnicity, gender, politics, religion, health and biometrics) with prescribed higher levels of protection and regulation.

  2. Introduction of specific provisions to regulate children’s personal data.

  3. Granting data subjects the right to require their personal data to be deleted permanently in certain circumstances.

  4. Granting data subjects the right to receive personal data they provided to a data user and to transmit the data to another data user (in other words, data portability).

  5. A committed timeline to the introduction of regulation of transfers of personal data outside Hong Kong (section 33).

  6. Requirement of consent on the collection of personal data in all cases (with limited exceptions), rather than the current information-based regime (outside of direct marketing).

There is certainly more that could be done, but perhaps the unique economic culture of Hong Kong does not lend itself to the highest of all standards globally. Hong Kong has always balanced meeting social norms with economic freedoms. To do enough, without doing the most, is not unusual in Hong Kong for social legislation such as personal data privacy.

What should businesses do now?

At minimum, data retention policies will need to be created, reviewed and improved. Businesses in adtech or otherwise using similar data tracking means need to start their design thinking for the upgraded scope of regulated personal information. This is a spur to industry to pay particular attention to cybersecurity and look holistically at their internal controls and processes on IT usage, retention and security.

Start preparing. Change is on the way.

If you would like to discuss any of the matters raised in this article, please contact:

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.