The Times They Are A-Changin': Hong Kong Privacy Commissioner promised concrete proposals for further PDPO amendments

This is the latest proposed legislative effort preceded by the recent PDPO changes taken place in 2021 which introduced the criminalisation of doxxing behaviours (see our previous summary and our subsequent reporting).

New or earlier proposed changes?

Watchful observers will notice that the references made by the Privacy Commissioner in the Legco Briefing stem from a set of changes first proposed in a discussion paper published in 2020 by the Hong Kong Constitutional and Mainland Affairs Bureau.  A summary of which has been reported here in our earlier briefing. 

Whilst the fact that the Legco Briefing included (i) mandatory breach notification; (ii) formulation of data retention policy; (iii) greater powers for the Privacy Commissioner to impose administrative fines; and (iv) direct regulation of data processors indicates a continuance of the proposed changes first included in the 2020 discussion paper, the following remains to be seen.

• How will these ‘pre-existing’ proposals be played out during the later consultation and legislative stages?  For instance, would the threshold of data breach remain as ‘a real risk of significant harm’, and notification must be completed within a specified timeframe (as soon as practicable but not more than 5 business days)?  Would the direct PDPO obligations imposed on processors remain limited to data retention and security, and an obligation for data breach notification to data user and the Privacy Commissioner?  
  
  
• The earlier proposal to widen the definition of personal data to include ‘identifiable person’ – a major nod to the use of modern-day tracking and analytics technology – is not mentioned in the Legco Briefing.  Would this still be included in the upcoming changes? 
  
  

Where to, what next?

The Privacy Commissioner clearly expressed its intention to consider the data protection laws of other jurisdictions whilst accounting for the practicalities of implementation in Hong Kong.  Comparative parallels drawn by the upcoming PDPO amendments will be closely monitored by practitioners in this region given the latest data protection and cybersecurity regulatory developments in the rest of the world, including China.