The reform of Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) is back on the agenda.

In our earlier post in 2020, we reported that the Constitutional and Mainland Affairs Bureau published a discussion paper (the Discussion Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the PDPO.

According to a recent briefing to the Legislative Council, the Privacy Commissioner for Personal Data (the PCPD) reported that she is working closely with the government to comprehensively review the PDPO to formulate concrete proposals for legislative amendments. The Government and the PCPD target to consult the Panel of the specific legislative proposals by June 2023.

The proposed amendments mentioned in the briefing include:

  • establishing a mandatory data breach notification mechanism,
  • requiring formulation of a data retention policy,
  • empowering the Privacy Commissioner to impose administrative fines, and
  • introducing direct regulation of data processors.

These proposed amendments are consistent with the proposals set out in the Discussion Paper. One of the proposed amendments in the Discussion Paper was the regulation of disclosure of personal data of other data subjects, also known as “doxxing”. Amendments were passed in September 2021 to combat doxxing acts (see our earlier post).

It remains to be seen how the legislative process will unfold, but it is encouraging to see Hong Kong taking steps to reform its data privacy framework by making reference to the legal regime in other jurisdictions. We will continue to monitor the discussions and proposals for legislative amendments and provide further updates.