The Legislative Council of the Hong Kong Special Administrative Region of the People’s Republic of China (‘LegCo’) announced, on 20 January 2020, its proposed amendments (‘the Amendments’) to the Personal Data (Privacy) Ordinance 1996 as amended in 2013 (Cap. 486) (‘PDPO’) as part of its review of the PDPO. In particular, the Amendments would introduce a notification mechanism for data breaches, new obligations for data processors, data retention policy requirements, penalties for non-compliance, and provisions regulating ‘doxxing’ incidents. Furthermore, the LegCo outlined that the Amendments were introduced because the current stance of the PDPO is ‘behind’ technological development and ‘inadequate’ in its protection of people’s privacy.

How will the Amendments impact organisations?

Mark Parsons, Partner at Hogan Lovells International LLP, told OneTrust Dataguidance, ”The most significant operational changes across a wide range of organisations will be:

mandatory data breach notification: Organisations would need to effectively implement a data breach incident response programme, which includes a policy to evaluate the notification of breaches to the PCPD and impacted data subjects;

regulation of data processors: Organisations that are data processors processing personal data on behalf of other organisations would need to review their operations to ensure that they meet the new direct compliance requirements; and

data retention: The PDPO may be amended to require data users to be in a position to show that they have a data retention programme and disclose this programme to data subjects. This would be a new ‘accountability’ requirement under the PDPO that will necessitate a review of existing personal data holdings and ensure that a retention programme is developed and implemented.”

How would the role of the PCPD change following the Amendments?

The Amendments would introduce higher penalties and criminal convictions to reflect the severity of breaches to the PDPO. Parsons noted, ”the proposals include an evaluation of whether or not the Personal Data Protection Commission (‘PDPC’) should be empowered to issue administrative fines.”

The Amendments further propose to evaluate whether or not such administrative fines should be linked to the global annual turnover of companies, reflecting on the current regulatory climate within the EU. On this matter, Parsons commented that the PDPC has been ‘more focused on encouraging compliance and remediation [rather] than punishing past breaches. Administrative fines could change this.”

Would the Amendments assist Hong Kong in obtaining an adequacy decision from the European Commission?

Parsons highlighted, ”EU adequacy is not the objective of the review […] It is more of an abstract idea […] Legislative reform is very challenging in Hong Kong [and] law-makers are focused on reforms addressing immediate issues.”

What are the reasons behind the Amendments?

The Amendments and discussions put forward by the LegCo focus on responding to current issues developing in Hong Kong. Parsons noted, ”Doxxing is most directly engaged by the proposal to introduce additional measures dealing with unauthorised disclosure of personal data, but the doxxing issue flows through the other areas of reform as well, such as regulating data processors and increasing enforcement powers.” In addition, Parsons highlighted that the ”proposals in relation to mandatory breach notification, retention and enforcement are also tied to the highly publicised data breach which occurred last year.”

What’s next?

The Amendments have been presented in the official discussions for review by the LegCo. The Constitutional and Mainland Affairs Bureau and the PDPC will request feedback on the proposals before approving and introducing a draft law.

Theo Stylianou Privacy Analyst

[email protected]

Comments provided by:

Mark Parsons Partner

[email protected]​hoganlovells.com

Hogan Lovells International LLP