Support Centre

Hong Kong

Summary

Law: Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 (PDPO)

Regulator: The Office of the Privacy Commissioner for Personal Data (PCPD)

Summary: On October 8, 2021, the Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2021 (PDPO) came into effect. The initial Act, enacted on December 20, 1996, introduced data subject rights in Hong Kong, specifying obligations for data controllers, and overseeing the collection, processing, holding, and use of personal data through six data protection principles. In 2012, significant amendments were made to the Act, effective from October 1, 2012, primarily focused on governing the use and provision of personal data in direct marketing. Further, the current 2021 amended PDPO specifically targeted the unauthorized disclosure of personal data without consent, addressing the issue commonly referred to as 'doxxing.'

In addition, the PDPO does not explicitly outline requirements for data processors, data protection officers, or mandatory breach notifications in the event of a breach. Furthermore, Section 33 of the PDPO, intended to regulate data transfers, has not yet come into effect, leaving a lacuna in the implementation of the law. Therefore, the Office of the Privacy Commissioner for Personal Data (PCPD), responsible for overseeing compliance with the PDPO, has issued various guidelines and codes of practice to fill the gap, such as the Guidance Note on the Recommended Model Contractual Clauses for Cross-border Transfers of Personal Data (2022 Guidance).

Notably, on January 5, 2020, the PCPD, in collaboration with the Legislative Council of Hong Kong, clarified in a discussion paper that the enforcement of Section 33 had been postponed due to concerns raised by the business sector, encompassing worries about its operational impact, challenges in compliance, and the need for additional time to implement measures aligning with Section 33. Additionally, the paper proposed more amendments to the PDPO, including the introduction of requirements for processors and breach notifications, along with the potential conferment of new enforcement powers to the PCPD.

Insights

Along with the growth and increasing prevalence of artificial intelligence (AI), including generative AI, the privacy and ethical risks brought along by the new technology cannot be understated. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data (PCPD), Hong Kong, China, looks at what steps organizations can take to ensure compliance and the guidance offered by the PCPD to help this.

In this Insight article, Albert Yuen and Jasmine Yung, from Linklaters, discuss the increasing pace of regulatory developments across APAC jurisdictions, particularly focusing on Hong Kong's new Model AI Framework.

In this Insight article, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, explores the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC), including its scope and adoption.

With a surge in cyberattacks around the world, in Hong Kong, the number of data breach incidents reported to the Office of the Privacy Commissioner for Personal Data (PCPD) in the first half of 2023 (as of June 29, 2023) has increased by more than 20% to 55 cases when compared to the second half of 2022. Against this background, the PCPD issued a new Guidance on Data Breach Handling and Data Breach Notifications (the Guidance) to assist organizations in preparing themselves in the event a data breach occurs. The Guidance also contains practical recommendations to help organizations handle data breaches so as to contain the damage and harm that follows from such incidents. Dominic Wai, Partner at ONC Lawyers, provides an overview of the Guidance alongside practical recommendations recommended by the PCPD.

The emergence of artificial intelligence (AI), particularly with the introduction of powerful generative AI-powered chatbots like Open AI's ChatGPT, Google LLC's Bard, Microsoft Corporation's Bing Chat, Baidu, Inc's ERNIE Bot, and Alibaba's Tongyi Qianwen, has captured considerable attention this year. These powerful language tools are revolutionizing human-technology interactions due to their increasing ability to generate text indistinguishable from those written by humans. Generative AI is also being used for generating other content such as images, videos, computer codes, etc. That said, various experts have warned that advancing the development of AI technologies without appropriate safeguards could cause detrimental effects to humanity. In fact, in July 2023, seven tech companies jointly expressed their voluntary commitment to developing AI responsibly according to the principles of safety, security, and trust1. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, China, discusses the considerations and risks regarding the use of generative AI, as well as the ever-evolving regulatory landscape.

On 9 February 2023, the Privacy Commissioner for Personal Data ('PCPD') published a Guidance Note on Data Security Measures for Information and Communications Technology ('the Guidance') to provide data users with some practicable recommendations on data security measures to help data users to comply relevant requirements.

Dominic Wai, Partner at ONC Lawyers, analyses the Guidance and provides an overview of its main recommendations, practical strategies, and best practices.

The new anti-doxxing regime introduced by Hong Kong's Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance') has shown promising results in clamping down on illegal doxxing activities in Hong Kong in its first year of implementation. The new regime, which bears resemblance to similar laws in other jurisdictions, including Australia, Singapore, New Zealand, and California, came into effect in October 2021.

With a view to combatting doxxing activities which are intrusive to personal data privacy, the Office of the Privacy Commissioner for Personal Data ('PCPD') has been sparing no effort in enhancing public awareness and taking enforcement actions against such illegal acts under the new anti-doxxing regime. One year into implementation, Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, Hong Kong, China, recapitulates the key features of the Amendment Ordinance and highlights the enforcement work of the PCPD over the past year.

Given the increasing digitalisation in the handling of personal data and globalisation of business operations in recent years, the Privacy Commissioner for Personal Data ('PCPD') has recently released its Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data ('the 2022 Guidance').1 This is intended to assist organisations in crafting appropriate contractual terms for effecting such transfers within Hong Kong's data privacy regime. Albert Yuen, Yang Fan, and Eunice Lee, from Linklaters, look at key-aspects of the 2022 Guidance and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

Effective from 8 October 2021, the implementation of the Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance') heralds a new era in the regulatory regime for the protection of personal data in Hong Kong. Ada Chung Lai-Ling, Privacy Commissioner for Personal Data, discusses the introduced amendments in relation to doxxing.

The Privacy Commissioner for Personal Data ('PCPD') announced, on 8 October 2021, that the Personal Data (Privacy) (Amendment) Bill 2021 ('the PDPO Amendment Ordinance') was gazetted and has come into force on 8 October 2021. In particular, the PCPD noted that it has published the Implementation Guideline for the Amendment Ordinance ('the Guideline') in the Hong Kong Gazette to accompany the PDPO Amendment Bill, which sets out the amendments and changes to the offences and sanctions. Furthermore, the PCPD has set up a telephone hotline for handling enquiries or complaints relating to doxxing activities, and a portal with information on doxxing on the PCPD's website.

In this insight, OneTrust DataGuidance provides an overview of the Guideline and the specific guidance set out by the PCPD regarding the operation of the PDPO Amendment Ordinance and the amendments introduced under the bill under four parts - doxxing, the PCPD's powers, serving of notices, and complaints mechanisms.

The Personal Data (Privacy) (Amendment) Bill 2021 ('the PDPO Amendment Bill') was passed on 29 September 2021, following the Legislative Council of the Hong Kong Special Administrative Region of the People's Republic of China's ('LegCo') second reading debate and third reading. The PDPO Amendment Bill, among other things, focuses primarily on combatting doxxing and strengthening the investigatory and prosecution powers of the Privacy Commissioner for Personal Data ('PCPD') in relation to doxxing offences. OneTrust DataGuidance discusses the journey of PDPO Amendment Bill from its initial proposal, key concerns raised during the process of its passing, and the key changes confirmed in the final Personal Data (Privacy) (Amendment) Ordinance 2021 ('the Amendment Ordinance'), which took effect this month.

Diversity and inclusion programmes are becoming increasingly popular across the globe due to a growth in awareness and a demand for organisations to support values, such as equity and inclusion. While actively engaging in diversity and inclusion initiatives may help organisations to better understand, manage, and develop the business, it is not always clear what data can, and cannot, be included in diversity monitoring surveys or what the rules are for such data collection.

The legal requirements surrounding information relating to an individual's race, gender, ethnicity, sexuality, and health differ from country to country, with some classifying such data as 'sensitive data', while others view it under the umbrella of 'personal information'.

OneTrust DataGuidance Research has consulted with a number of legal experts operating within the Asia Pacific region in order to uncover the requirements for the collection and use of employee data for diversity and inclusion surveys. The countries covered in this Insight article include Australia, China, Singapore, Japan, Hong Kong, and India.