Law: Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 ('PDPO')
Regulator: The Office of the Privacy Commissioner for Personal Data ('PCPD')
Summary: Data protection in Hong Kong is governed by the PDPO, which establishes data subject rights, specific obligations to data controllers, and regulates the collection, processing, holding, and use of personal data through six data protection principles. The PDPO came into force on 20 December 1996, and was significantly amendeded in 2012 and in 2021. Most amendments took effect on 1 October 2012, and were primarily related to governing the use and provision of personal data in direct marketing. The 2021 amendments, took effect on 8 October 2021, and were aimed at addressing the acts of disclosing personal data without consent, i.e. 'doxxing'.
In its current form the PDPO does not include direct requirements for data processors, data protection officers, or mandatory breach notifications for breaches, and Section 33 of the PDPO, which would regulate data transfers, has yet to come into effect. The PCPD oversees compliance with the PDPO and has issued several guidelines as well as codes practice. In January 2020, the PCPD and the Legislative Council of Hong Kong released a discussion paper considering several proposed amendments to the PDPO. These included the introduction of requirements for processors and breach notifications, and new enforcement powers for the PCPD.