Popular search terms
Click each term for related articles
Reforms in Hong Kong’s personal data privacy laws have been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), an acknowledgment that the present laws need to be modernised in line with the increasing liability and exposure of data users
These proposed reforms are summarised as follows:
In Hong Kong, there is currently no mandatory reporting requirement in the event of a data breach. However, the reforms under consideration provide for this and includes the following:
Under the PDPO, data users are required to take all practicable steps to ensure that personal data is kept no longer than is reasonably necessary for the purpose for which it was collected. There is no express retention period provided for and therefore the question of the period which is deemed to be necessary is highly dependent upon the facts and circumstances.
With regard to the proposed reforms, data users would be required to do the following:
Under the present regime, the level of fines do not act as deterrents. In addition, the Privacy Commissioner is not empowered to directly impose administrative fines:
Accordingly, the proposed changes include:
At present, data users control the personal data collected and are responsible for the protection of such data. Data processors, that is a party which processes personal data on behalf of the data user rather than for their own purposes, are under no such obligation save if expressly provided for under a contract with the data user. Accordingly, steps are being taken towards the direct regulation of data processors (such as third party/external service providers).
The proposed reforms include the following:
Under the PDPO, “personal data” relates to the personal data of a living person whose identity can be ascertained and which comes in a form in which access to or processing of the data is practicable ( that is, an identified person).
Under the proposed reforms, consideration is being given to extend the application of the PDPO to “identifiable persons”. This would, in effect, mean that data captured with the use of data analytics technology (such as the data obtained from IP addresses, website cookies and online tracking tools) which enable data users to link such information to or point to a relatable person (that is, an “identifiable person”), would fall within and be governed by the provisions of the PDPO.
On 16 July 2021, the Personal Data (Privacy)(Amendment) Ordinance 2021 (“Amendment Ordinance”) was published in the gazette with a view to criminalising doxxing and to conferring statutory powers upon the Privacy Commissioner to act against this. This subsequently came into effect on 8 October 2021 .
Under the Amendment Ordinance, any person who discloses or conspires to disclose any personal data of a data subject or any of his/her family members without his/her express consent, whether recklessly or with intent to cause harm to the person or his/her family, commits an offence punishable by fine(s) and/or imprisonment.
The Privacy Commissioner can now institute criminal investigations and prosecutions in relation to doxxing- related offences. The powers conferred on the Privacy Commissioner are wide and include the following:
The proposed reforms are still very much at discussion stage with no time-table as yet for implementation. It is generally accepted that important changes are required to the PDPO to bring the Hong Kong’s data protections laws in line with international standards as well as to meet the increasing liability and exposure of data users. These proposed reforms will be a good start to this process.
If you wish to discuss this article or any data privacy issues, please contact Rosie Ng or Sharon Lam.