Thoughts from the Legal Front
Changes to Data Privacy Law
Changes to Data Privacy Law<br/>資料私隱法例修訂

Changes to Data Privacy Law<br/>資料私隱法例修訂

Businesses should start preparing for a major strengthening of Hong Kong’s data privacy legislation, likely to take effect within the next year or so.

The changes were foreshadowed in a discussion paper presented by the Government to LegCo in January 2020. Just over three years later, the Privacy Commissioner for Personal Data  (“Privacy Commissioner”) announced on 20 February this year that she, along with the Government, are intending to publish, and consult LegCo on, specific legislative proposals in the second quarter of this year, i.e. by the end of June.

What are these proposed changes? Those likely to be of most concern to Hong Kong businesses are:

  • A significant strengthening of the sanctions for contravening the Personal Data (Privacy) Ordinance (“PDPO”).
  • Compulsory reporting of significant data breaches to the Privacy Commissioner.
  • A new requirement on businesses to specify retention periods for different classes of personal data, and to publish the business’s data retention policy.
  • Direct requirements on third party data processors to comply with the PDPO (at present businesses holding personal data – “data users” – are responsible for the actions of third party contractors to whom they entrust the handling of personal data – these contractors are not themselves liable).

This article looks at each of these proposed changes in turn.


Strengthening of Sanctions

Currently, the Privacy Commissioner cannot directly impose penalties on businesses that contravene the PDPO. The Commissioner must first issue an enforcement notice on the business, directing it to remedy the contravention. Only if the enforcement notice is breached can the Commissioner then ask the court to impose a penalty on the business concerned.

Moreover, the maximum level of penalty for breaching an enforcement notice is relatively modest: $50,000.

The Government is proposing to change the law in two major respects. First, by giving the Commissioner the right to impose penalties directly, without the need to issue an enforcement notice, and without the need to go to the court asking for a penalty to be imposed if the enforcement notice is breached. Secondly, by increasing the maximum level of penalty. The Government is proposing to link the maximum level of penalty to the turnover of the business concerned. But what the maximum level will be is not yet clear.


Compulsory Reporting of Significant Data Breaches

The Government is proposing to introduce a new requirement on businesses whose personal data is leaked – whether accidentally or deliberately (a so-called “data breach”) – to report the data breach to the Privacy Commissioner. Currently there is no requirement to do so: the business is free to decide whether or not to report the data breach. The Government has suggested compulsory notification within five days of the data breach, but there is a possibility that the business may be allowed an initial period to investigate the circumstances of the breach before the five day period starts ticking.

Not all data breaches would require to be reported – only those where there is “a real risk of significant harm” to the individuals concerned. The Government has indicated that some guidance will be offered on the factors that will be taken into account in assessing whether there is a real risk of significant harm.


Data Retention Policies

Currently, the PDPO provides that data users shall take all practicable steps to ensure that personal data is not kept any longer than is necessary for the purpose for which it is to be used. It does not specify any particular periods for retention.

Under the new proposals, however, data users will be required to set specific retention periods for particular categories of personal data, depending on the purposes for which it is to be used (such as for compliance with taxation or employment law).

In addition, data users would be required specifically to include a data retention policy in the personal data policy that they are already required to publish.


Direct Liability of Third Party Processors

Businesses often have to transfer the personal data they hold to third party contractors, and entrust them with the handling of the personal data. These contractors (or, to use the Ordinance’s terminology, “processors”) could, for example, be storage companies (where the company does not have sufficient physical capacity to store the data); debt collection agencies; or companies with which they are engaging in joint promotional campaigns to customers.

Currently, the PDPO requires date users who engage such third party processors to use contractual or other means to ensure that these processors ensure the security of the personal data, and do not keep it for longer than is necessary. If the data user fails do this, or if the measures it has put in place fail, it is the data user that is potentially liable for contravention of the PDPO, not the third party processor.

Given the increasing use of third party processors, the Government is proposing to impose direct liability on them, if they fail to ensure the security of personal data, or keep it for longer than is necessary.

Third party processors will clearly need to make extra-sure that they have systems in place to comply with these new requirements, if they become law. For data users, it is not yet clear whether their existing requirement, to have contractual or other means to ensure the processors’ compliance, will continue apply. In other words, it is not clear whether the data user could be held liable for a breach of the PDPO, as well as the processor, if there is a data breach, or if data is kept longer than is necessary. 



So far, only limited details of the Government’s proposals have been published, and several issues have not yet been clarified. These issues include the maximum level of penalty, what will constitute a “real risk of significant harm” such as to trigger mandatory notification of a data breach to the Commissioner, and the respective liabilities of the data user and data processor if the latter is responsible for a data breach. So the “devil will be in the detail” of the specific proposals that the Government presents to LegCo. As noted above, it is intending to do so in the second quarter of this year.

Businesses would be well-advised to monitor these developments closely. This is especially the case, as the proposals thus far seem to have enjoyed considerable support amongst LegCo members, and the proposals may therefore be expected to proceed swiftly through the legislative process.


Over the years, we have helped businesses overcome adversity and thrive locally, in Mainland China and internationally.

If you want to take advantage of our network,insights and services, contact us today.