The HKSAR Government is studying possible amendments to the Personal Data (Privacy) Ordinance (PDPO) jointly with the Office of the Privacy Commissioner for Personal Data (PCPD) to strengthen personal data protection in Hong Kong. The Government is now considering the following amendment directions:

a.

establishing a mandatory data breach notification mechanism;

b.

strengthening the regulation on data retention period;

c.

reviewing penalties of non-compliance with the PDPO by raising relevant criminal fines and exploring the feasibility of introducing a direct administrative fine;

d.

regulating data processors directly to strengthen protection towards personal data being processed; and

e.

amending the definition of “personal data” to cover information relating to an “identifiable” natural person.

The proposed amendments were prompted by major data breach incidents, including the recent surge of “doxing”-related complaints, the leakage of personal data of 9.4 million passengers of Cathay Pacific Airways in October 2018 and security loopholes identified in the online procedures of TransUnion (Hong Kong’s official consumer credit reference agency) for obtaining personal credit information in November 2018.

The PCPD completed a compliance investigation into TransUnion (click here for the full report) and is looking to conduct a comprehensive review of the Code of Practice on Consumer Credit Data (Code) which provides guidance on the handling of consumer credit data by credit reference agencies.

Banks should be prepared to put in place appropriate measures including regular reviews of their corporate-wide privacy strategy in light of the proposed amendments to the PDPO.