Feb 242023

Substantial Changes to Hong Kong’s Privacy Laws Coming

Yuet Ming Tham, Shu Min Ho and Lauren Chan
, ,

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

Proposed amendments include the introduction of:

  • Mandatory data breach notification(s) to the Commissioner and to impacted individuals, in situations where there is “a real risk of significant harm” – the notification needs to be done within five business days from when the entity collecting data (“data user”) becomes aware of the breach;
  • Direct regulation of data processors under the PDPO in relation to personal data retention and security obligations (currently, data processors are not directly regulated under the PDPO because the onus of ensuring compliance by data processors is placed on the data users that retain these processors);
  • A requirement for data users to formulate a clear personal data retention policy. However, the Commissioner has indicated that it does not intend to prescribe specific retention periods; and
  • Express powers by the Commissioner to impose administrative fines (in addition to existing powers to levy criminal fines).  There is also a possibility that the level of administrative fines will be based on annual turnover, similar to the EU GDPR.

The Commissioner has indicated that the amendments will be finalized in Q2 of 2023.  Sidley continues to monitor these developments closely so that clients can make the necessary changes to their privacy programs.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Shu Min Ho

Singapore

shumin.ho@sidley.com

Lauren Chan

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.