The Times They Are A-Changin': Hong Kong Privacy Commissioner promised concrete proposals for further PDPO amendments

Written By

wilfred ng Module
Wilfred Ng

Partner
China

I am a partner in our Commercial Department based in Hong Kong. As a technology, media, telecoms and data protection lawyer, I am experienced in advising on all aspects of commercial, transactional and regulatory matters in the TMT space.

The Privacy Commissioner in Hong Kong briefed the Panel on Constitutional Affairs of the Legislative Council on 20 February 2023 (“Legco Briefing”) regarding its proposed efforts to put forward further amendments to the Personal Data (Privacy) Ordinance (“PDPO”).

This is the latest proposed legislative effort preceded by the recent PDPO changes taken place in 2021 which introduced the criminalisation of doxxing behaviours (see our previous summary and our subsequent reporting).

New or earlier proposed changes?

Watchful observers will notice that the references made by the Privacy Commissioner in the Legco Briefing stem from a set of changes first proposed in a discussion paper published in 2020 by the Hong Kong Constitutional and Mainland Affairs Bureau.  A summary of which has been reported here in our earlier briefing. 

Whilst the fact that the Legco Briefing included (i) mandatory breach notification; (ii) formulation of data retention policy; (iii) greater powers for the Privacy Commissioner to impose administrative fines; and (iv) direct regulation of data processors indicates a continuance of the proposed changes first included in the 2020 discussion paper, the following remains to be seen.

  • How will these ‘pre-existing’ proposals be played out during the later consultation and legislative stages?  For instance, would the threshold of data breach remain as ‘a real risk of significant harm’, and notification must be completed within a specified timeframe (as soon as practicable but not more than 5 business days)?  Would the direct PDPO obligations imposed on processors remain limited to data retention and security, and an obligation for data breach notification to data user and the Privacy Commissioner?  

  • The earlier proposal to widen the definition of personal data to include ‘identifiable person’ – a major nod to the use of modern-day tracking and analytics technology – is not mentioned in the Legco Briefing.  Would this still be included in the upcoming changes? 

Where to, what next?

The Privacy Commissioner clearly expressed its intention to consider the data protection laws of other jurisdictions whilst accounting for the practicalities of implementation in Hong Kong.  Comparative parallels drawn by the upcoming PDPO amendments will be closely monitored by practitioners in this region given the latest data protection and cybersecurity regulatory developments in the rest of the world, including China. 

The Privacy Commissioner will be working closely with the Hong Kong Government in proposing these legislative amendments in the second quarter of 2023.  

Latest insights

More Insights
featured image

Saudi Arabia: Qualified obligation on data controllers to register with Data Protection Authority

3 minutes Dec 03 2024

Read More
Curiosity line teal background

China TMT: Bi-monthly Update - September & October 2024 Issue

19 minutes Nov 28 2024

Read More
Curiosity line pink background

China Cybersecurity and Data Protection Monthly Update - November 2024 Issue

19 minutes Nov 28 2024

Read More