The Hong Kong government has proposed wide-ranging reforms to its data privacy law, the Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”). The contemplated reforms, first discussed in the legislature in January 2020, would be the most radical overhaul of the PDPO since its introduction in 1996.
They are significant and represent an enhancement to the level of personal data protection offered in Hong Kong, although there is still more that could be done. In the linked client briefing, we consider the proposed changes to the PDPO and other areas for reform.
In summary, the proposed reforms cover six main areas:
- A wider definition of ‘personal data’ which will capture ‘identifiable’ natural persons rather than simply ‘identified’ ones.
- The direct regulation of data processors, meaning that data processors will be directly subject to the PDPO and may be subject to enforcement action for breaches of the new obligations.
- The introduction of a mandatory breach notification regime, obliging data users to notify the regulator and data subjects of a data breach (whereas currently such notifications are optional).
- Enhanced data retention requirements, particularly around retention periods.
- More powerful sanctioning powers for the Privacy Commissioner, allowing him to impose administrative penalties, including turnover-related fines.
- The introduction of provisions to prevent and deal with ‘doxxing’.
While the proposed reforms are welcome and are largely consistent with recent global trends, they fall some way short of a complete ‘GDPR-style’ overhaul. For example: (1) the proposals do not introduce an accountability principle (despite the Privacy Commissioner's earlier comments that he would like to see one); (2) they are silent on non-fining sanctioning powers; and (3) they fail to address Hong Kong’s long-standing issues regarding international transfers of personal data.
Nevertheless, the proposed reforms should be welcomed by data users and data subjects alike. It will be interesting to observe if and when they become law.
The proposed reforms are significant and represent an enhancement to the level of personal data protection offered in Hong Kong, although there is still more that could be done.