6 Takeaways: What’s happened and what does it mean for businesses in Hong Kong?

1. Formal review and study of possible amendments to Personal Data (Privacy) Ordinance (PDPO)

As anticipated for some time, the Hong Kong Government is now formally reviewing and studying possible amendments to the PDPO jointly with the Office of the Privacy Commissioner for Personal Data (PCPD) aimed at strengthening the protection of personal data in Hong Kong.

The Constitutional and Mainland Affairs Bureau published a paper (LC Paper No. CB(2)512/19-20(03)) (Review Paper) for discussion at the Legislative Council Panel on Constitutional Affairs meeting on 20 January 2020.

Nothing has changed as yet: this is the start of a review process that will take some time before we see any specific proposals for legislative amendments to the PDPO.

2. Focus on six key proposals

The Review Paper does not propose a complete redraft of the PDPO. Instead, it focuses on six key proposals which we summarise in this update:

  1. mandatory data breach notification;
  2. requirement for a data retention policy;
  3. introducing the ability for the PCPD to impose direct administrative fines;
  4. regulation of data processors;
  5. expanding the definition of personal data; and
  6. regulating the disclosure of other data subjects' personal data.

Whilst the Review Paper proposes certain "GDPR-like" elements, many of the proposals are in response to specific data privacy issues in the digital age that have arisen locally in Hong Kong (in particular data security breaches and an increase in doxxing cases).

3. Greater powers for PCPD proposed

Of particular interest to Hong Kong businesses is the proposal for the PCPD to have more "teeth" and the ability to directly impose administrative fines "linked to the annual turnover of the data user": this follows the approach under the EU GDPR where regulators can issue a fine up to EUR 20 million or 4% of global annual turnover (whichever is higher).

The Government is also considering legislative amendments which would give the PCPD statutory powers to request the removal of doxxing content from social media platforms and websites, as well as the power to carry out criminal investigations and prosecution.

4. Increased compliance requirements if proposed changes come into effect

For businesses in Hong Kong who have not updated their privacy programmes to a higher global standard, they will have greater compliance requirements to meet (in particular on data breach and data retention) if the PDPO is amended to implement the changes outlined in the Review Paper. If the proposal to increase the PCPD's sanctioning and prosecution powers comes into effect, this would heighten the risk of privacy non-compliance for companies doing business in Hong Kong.

Businesses should monitor this area as it develops, as existing data governance policies and practices will need to be revisited if new requirements are introduced as a result of this PDPO review.

5. Next steps

The immediate next step is for the Government and the PCPD to work together to conduct a further in-depth study on concrete legislative amendment proposals and consult relevant stakeholders including the Legislative Council Panel on Constitutional Affairs.

There is currently no indicative timeline for tabling amendments and it is not yet clear when any formal amendments may take effect.

6. Will any other changes be proposed?

It remains to be seen if further proposals will be considered at a later stage to enhance other areas of the PDPO and introduce additional "GDPR-like" elements similar to those being considered or incorporated into the data privacy laws of other Asia Pacific economies.

The Review Paper indicates that the six proposals are the PCPD's "preliminary recommendations on PDPO amendments" and the present study focuses only on these amendments. Other areas such as an accountability obligation, a definition of sensitive data, increased rights of data subjects (e.g., data portability and the "right to be forgotten") and, in particular, cross-border data transfer (currently included in section 33 of the PDPO but not yet in force) do not feature in the proposals.