Written by Partner Anna Gamvros and Associate Libby Ryan, both based in the Hong Kong office.

Earlier this week, the Constitutional and Mainland Affairs Bureau (the CMAB)  released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486) (the PDPO). The Paper was released on Monday 13th January, as part of an agenda for the Panel meeting which was held on Monday, 20th January, and follows proposals by the Privacy Commissioner for Personal Data (the Commissioner) to the government to amend the PDPO. The Paper sets out six proposed amendments to the PDPO:

  1. Introduction of a mandatory breach notification mechanism. It is proposed that the mechanism should include:
    1. a definition of “personal data breach” along the lines of the GDPR definition, being “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”;
    2. a notification threshold so the mechanism will only apply to data breaches that have a “real risk of significant harm” taking into account factors such as the type and amount of data leaked and the security level of the data (encrypted or not);
    3. a time frame for notifying the breach to the Commissioner and individuals. An example of, “as soon as practicable and, under all circumstances, in not more than five business days” is included in the Paper; and
    4. details on the method of notification, as well as the content.
  2. Certainty around data retention periods. It is proposed that data users will be required to have clear retention policies. The Paper recognises that it is not practicable to set a uniform retention period applicable to all types of personal data held by various organisations for different purposes. As such, the Paper proposes requiring data users to have in place a clear retention policy that specifies:
    1. a maximum retention period for different categories of personal data collected;
    2. legal requirements that may affect the retention periods (for example, tax, employment and medical regulations); and
    3. how the retention period will be counted. For example, from the date of collection of personal data, or from expiry of a data subject’s membership with the organisation.
  3. Changes to the Commissioner’s sanctioning powers. In order to enhance the deterrent effect of the PDPO and strengthen the Commissioner’s powers, the following changes are proposed:
    1. increasing the relevant criminal level fines and potentially linking the fines to a percentage of annual turnover and a scale which would have different levels of fines depending on the turnover of the data user;
    2. conferring powers on the Commissioner allowing him to directly impose administrative fines for breaches of the PDPO. Such fines should take into consideration a number of factors including the types of data compromised, severity of the data breach, whether the data user intended the breach to happen and its attitude towards the handling of the breach, remedial actions taken, track record etc. Data users should have the right to appeal the fines, and be given appropriate time to do so; and
    3. a mechanism for the imposition of the administrative fine.
  4. Regulation of data processors. The purpose of this amendment is to share responsibilities for data protection between data users and processors, and prevent data processors from neglecting the importance of preventing personal data leakage. Data processors would be held directly accountable for data retention and security, equal obligations would be imposed on data processors and they would be required to notify the Commissioner and the data user upon becoming aware of a data breach.
  5. Amendment to the definition of personal data. Changes to the definition would expand the current definition to include information that relates to an “identifiable natural person”, rather than an “identified person”. This change reflects the wide use of tracking and data analytic technology being used today and is in line with definitions adopted in other jurisdictions.
  6. Regulation of disclosure of personal data of other data subjects. This change is proposed primarily to curb the effect of doxxing of which we have seen an increase recently in Hong Kong. Since 14 June, 2019,  the Commissioner has received over 4700 doxxing related complaints and enquiry cases since 14 June, 2019. Proposed measures include conferring statutory powers on the Commissioner allowing a request to remove doxxing content from social media platforms or websites, as well as criminal investigation powers and prosecution.

These changes are the first changes to the PDPO to be proposed in over 10 years. They are in response to recent data protection related events in Hong Kong and reflective of changes and new laws we have seen in other jurisdictions.

We will closely monitor the discussions around these proposals and will provide an update following the Panel meeting on 20 January, 2020.