Support Centre

Hong Kong


Law: Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 ('PDPO')

Regulator: The Office of the Privacy Commissioner for Personal Data ('PCPD')

Summary: Data protection in Hong Kong is governed by the PDPO, which establishes data subject rights, specific obligations to data controllers, and regulates the collection, processing, holding, and use of personal data through six data protection principles. The PDPO came into force on 20 December 1996, and was significantly amendeded in 2012 and in 2021. Most amendments took effect on 1 October 2012, and were primarily related to governing the use and provision of personal data in direct marketing. The 2021 amendments, took effect on 8 October 2021, and were aimed at addressing the acts of disclosing personal data without consent, i.e. 'doxxing'.

In its current form the PDPO does not include direct requirements for data processors, data protection officers, or mandatory breach notifications for breaches, and Section 33 of the PDPO, which would regulate data transfers, has yet to come into effect. The PCPD oversees compliance with the PDPO and has issued several guidelines as well as codes practice. In January 2020, the PCPD and the Legislative Council of Hong Kong released a discussion paper considering several proposed amendments to the PDPO. These included the introduction of requirements for processors and breach notifications, and new enforcement powers for the PCPD.


In this Insight article, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, explores the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC), including its scope and adoption.

With a surge in cyberattacks around the world, in Hong Kong, the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 (as of June 29, 2023) has increased by more than 20% to 55 cases when compared to the second half of 2022. Against this background, the PCPD issued a new Guidance on Data Breach Handling and Data Breach Notifications (the Guidance) to assist organizations in preparing themselves in the event a data breach occurs. The Guidance also contains practical recommendations to help organizations handle data breaches so as to contain the damage and harm that follows from such incidents. Dominic Wai, Partner at ONC Lawyers, provides an overview of the Guidance alongside practical recommendations recommended by the PCPD.

The emergence of artificial intelligence (AI), particularly with the introduction of powerful generative AI-powered chatbots like Open AI's ChatGPT, Google LLC's Bard, Microsoft Corporation's Bing Chat, Baidu, Inc's ERNIE Bot, and Alibaba's Tongyi Qianwen, has captured considerable attention this year. These powerful language tools are revolutionizing human-technology interactions due to their increasing ability to generate text indistinguishable from those written by humans. Generative AI is also being used for generating other content such as images, videos, computer codes, etc. That said, various experts have warned that advancing the development of AI technologies without appropriate safeguards could cause detrimental effects to humanity. In fact, in July 2023, seven tech companies jointly expressed their voluntary commitment to developing AI responsibly according to the principles of safety, security, and trust1. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, China, discusses the considerations and risks regarding the use of generative AI, as well as the ever-evolving regulatory landscape.

On 9 February 2023, the Privacy Commissioner for Personal Data ('PCPD') published a Guidance Note on Data Security Measures for Information and Communications Technology ('the Guidance') to provide data users with some practicable recommendations on data security measures to help data users to comply relevant requirements.

Dominic Wai, Partner at ONC Lawyers, analyses the Guidance and provides an overview of its main recommendations, practical strategies, and best practices.

The new anti-doxxing regime introduced by Hong Kong's Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance') has shown promising results in clamping down on illegal doxxing activities in Hong Kong in its first year of implementation. The new regime, which bears resemblance to similar laws in other jurisdictions, including Australia, Singapore, New Zealand, and California, came into effect in October 2021.

With a view to combatting doxxing activities which are intrusive to personal data privacy, the Office of the Privacy Commissioner for Personal Data ('PCPD') has been sparing no effort in enhancing public awareness and taking enforcement actions against such illegal acts under the new anti-doxxing regime. One year into implementation, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, China, recapitulates the key features of the Amendment Ordinance and highlights the enforcement work of the PCPD over the past year.

Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the Privacy Commissioner for Personal Data ('PCPD') has recently released its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data ('the 2022 Guidance').1 This is intended to assist organisations in crafting appropriate contractual terms for effecting such transfers within Hong Kong's data privacy regime. Albert Yuen, Yang Fan, and Eunice Lee, from Linklaters, look at key-aspects of the 2022 Guidance and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

Effective from 8 October 2021, the implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance') heralds a new era in the regulatory regime for the protection of personal data in Hong Kong. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, discusses the introduced amendments in relation to doxxing.

The Privacy Commissioner for Personal Data ('PCPD') announced, on 8 October 2021, that the Personal Data (Privacy) (Amendment) Bill 2021 ('the PDPO Amendment Ordinance') was gazetted and has come into force on 8 October 2021. In particular, the PCPD noted that it has published the Implementation Guideline for the Amendment Ordinance ('the Guideline') in the Hong Kong Gazette to accompany the PDPO Amendment Bill, which sets out the amendments and changes to the offences and sanctions. Furthermore, the PCPD has set up a telephone hotline for handling enquiries or complaints relating to doxxing activities, and a portal with information on doxxing on the PCPD's website.

In this insight, OneTrust DataGuidance provides an overview of the Guideline and the specific guidance set out by the PCPD regarding the operation of the PDPO Amendment Ordinance and the amendments introduced under the bill under four parts - doxxing, the PCPD's powers, serving of notices, and complaints mechanisms.

The Personal Data (Privacy) (Amendment) Bill 2021 ('the PDPO Amendment Bill') was passed on 29 September 2021, following the Legislative Council of the Hong Kong Special Administrative Region of the People's Republic of China's ('LegCo') second reading debate and third reading. The PDPO Amendment Bill, among other things, focuses primarily on combatting doxxing and strengthening the investigatory and prosecution powers of the Privacy Commissioner for Personal Data ('PCPD') in relation to doxxing offences. OneTrust DataGuidance discusses the journey of PDPO Amendment Bill from its initial proposal, key concerns raised during the process of its passing, and the key changes confirmed in the final Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance'), which took effect this month.