In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.
Proposed amendments include the introduction of:
- Mandatory data breach notification(s) to the Commissioner and to impacted individuals, in situations where there is “a real risk of significant harm” – the notification needs to be done within five business days from when the entity collecting data (“data user”) becomes aware of the breach;
- Direct regulation of data processors under the PDPO in relation to personal data retention and security obligations (currently, data processors are not directly regulated under the PDPO because the onus of ensuring compliance by data processors is placed on the data users that retain these processors);
- A requirement for data users to formulate a clear personal data retention policy. However, the Commissioner has indicated that it does not intend to prescribe specific retention periods; and
- Express powers by the Commissioner to impose administrative fines (in addition to existing powers to levy criminal fines). There is also a possibility that the level of administrative fines will be based on annual turnover, similar to the EU GDPR.
The Commissioner has indicated that the amendments will be finalized in Q2 of 2023. Sidley continues to monitor these developments closely so that clients can make the necessary changes to their privacy programs.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.