We are creating some awesome events for you. Kindly bear with us.

HK Govt Looking at Data Protection Reforms

Hong Kong Govt Data Protection Reforms

The Constitutional and Mainland Affairs Bureau (CMAB), together with the Privacy Commissioner for Personal Data (Privacy Commissioner), published a consultation paper raising important data protection issues and proposing possible amendments to the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) on 20 January 2020.

This move followed the review of the existing data protection regime in Hong Kong.

The consultation paper seeks feedback from members of the Legislative Council and experts expect that more specific proposals for reforms to the PDPO will be made at the appropriate time.

However, there is currently no information in the consultation paper pertaining to an express timeframe for the completion of this review process or when specific amendments to the PDPO would be proposed.

Experts laid out an overview of the key proposals, as follows:

  1. Mandatory Data Breach Notification Mechanism

The consultation paper recommended the introduction of a mandatory data breach notification mechanism.

This would require a report to the Privacy Commissioner and impacted individuals in the event of a data breach carrying “a real risk of significant harm”.

The CMAB suggested that the mechanism would ensure that the Privacy Commissioner could more effectively monitor the handling of data breaches by relevant organisations.

In addition, organisations could seek instructions from the Privacy Commissioner with regards to any follow-up actions to mitigate or prevent further loss and damage resulting from the data breach incident.

  1. Data Retention Period

At present, the PDPO does not specify a definitive retention period and as such data users are left to interpret the meaning of what is considered “no longer necessary”.

The consultation paper suggested that there is a higher risk of a data breach in instances where data is retained for a longer period of time, especially if such data should have been purged and retaining such information was in fact unnecessary.

Whilst the consultation paper acknowledges that it would be inappropriate to propose a uniform retention period in the PDPO that would apply to all types of personal data held by different organisations for different purposes; it was suggested that the PDPO be amended requiring data users to formulate a clear retention policy, specifying a retention period for the personal data collected.

In particular, such retention policy should address the maximum retention periods for the different categories of personal data and data users should disclose how the retention period would be calculated.

  1. Sanctioning Powers

The consultation paper considered raising the number of criminal fines in order to strengthen the deterrent effect of breaching the provisions of the PDPO.

It was also suggested that the Privacy Commissioner should be empowered to directly impose administrative fines for the contravention of the PDPO, similar to other data protection authorities such as that in the EU, Singapore and the United Kingdom.

In particular, the CMAB and the Privacy Commissioner are deliberating whether it would be feasible to introduce an administrative fine linked to the annual turnover of the data user.

  1. Regulation of Data Processors

Currently, the obligation to comply with the PDPO applies to “data users” (i.e. an organisation that controls the collection, holding, processing or use of personal data).

The PDPO does not directly regulate “data processors” (i.e., an organisation that processes personal data on behalf of data users).

Data users are required to ensure by way of contractual means that data processors adopt suitable measures to ensure the safety of a data subject’s personal data.

The consultation paper concludes that this level of protection is inadequate, especially as the outsourcing of data has become a common practice in the digital age.

In light of this, it was suggested that the PDPO may be amended so that data processors are directly accountable for personal data retention and security, and render them responsible for notifications to the Privacy Commissioner and the data user upon becoming aware of any data breach incidents.

  1. Definition of Personal Data

The consultation paper also mentioned possible amendments to the definition of “personal data”.

At present, the definition of “personal data” in the PDPO includes information that relates to an “identified person”. The CMAB is exploring whether to expand this definition so as to include data that relates to an “identifiable natural person” instead.

This proposed amendment was raised in order to tackle the widespread practice of tracking and data analytics technology which is commonly being deployed today by global technology companies.

  1. Doxing

The issue of doxing was the final area of possible reform raised by the CMAB.

According to the consultation paper, the HKSAR Government is considering whether it would be feasible to amend the PDPO to address the issue of doxing more effectively.

For example, it was suggested that the Privacy Commissioner could be granted statutory powers to order the removal of doxing-related material from social media platforms or websites and be given the power to institute criminal investigations and prosecutions.

Looking Ahead

Considering the recent wave of major data breach incidents and the rapid technological advancements resulting in new uses of personal data in Hong Kong, the consultation paper recognised a need for enhancing the level of protection currently afforded under the PDPO.

EU member states and the province of Alberta in Canada, as well as the state of California in the United States and other countries in Asia such as the PRC, Australia, Indonesia, South Korea, Taiwan and Thailand, all, have mandatory data breach notification mechanisms in place.

In addition, other common law jurisdictions such as Singapore and New Zealand are expected to introduce similar mechanisms in their data protection regimes as well.

If enacted, the aforementioned reforms will bring Hong Kong closer to being in line with the recent regulatory developments in data protection in other parts of the world.


CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend