Hong Kong: Important changes proposed to Hong Kong’s data protection law

Any organisation processing Hong Kong personal data must plan ahead to anticipate significant new compliance obligations requirements. These are proposed in a recent consultation paper to amend Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), and would – if passed – constitute the first changes to the PDPO since 2012.

Key proposed amendments include:

1. Direct administrative fines linked to annual turnover. This will significantly increase the penalty from a relevant low level of fines (i.e., maximum HKD1 million at present) to a much higher amount calculated by reference to annual turnover.

2. Mandatory data breach notification – to the privacy authority (PCPD) and affected data subjects within a prescribed timeframe (as soon as practicable and not more than five business days).

3. Mandatory data retention policy – organisations would need to formulate – and publish – a clear retention policy which specifies a retention period for the personal data collected.

4. Direct regulation of data processors – direct liability for data security, data retention, and data breach notification.

5. Expanded definition of “personal data” – to cover activities involving anonymised data where individuals can be re-identified.

6. Specific safeguards and sanctions regarding “doxxing”.

It is interesting that the consultation paper does not touch on the subject of overseas data transfers, since a proposal to amend the PDPO to cover this has been passing through the Legislative Council for the last couple of years.

Read a copy of the consultation paper.

For more information please get in touch with Carolyn Bigg (partner, Hong Kong), Scott Thiel (partner, Hong Kong), Venus Cheung (Registered Foreign Lawyer, Hong Kong) or your usual DLA Piper contact.