Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 31
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
31
Hong Kong SAR
Hong Kong’s Personal Data (Privacy) Ordinance
(the PDPO) is one of the APAC region’s oldest
data protection laws, coming into effect in 1995,
with only two amendments since.
With China’s significant upgrade of data
protection standards under PIPL, Hong
Kong’s PDPO appears to be long overdue for
an update. This is particularly so, in light of
policy objectives to draw Hong Kong into
closer economic collaboration with Guangdong
province as part of China’s Greater Bay Area
(GBA) initiative, which seeks to link Hong
Kong’s position as a leading financial hub
to Shenzhen’s technological might and
Guangdong province’s manufacturing prowess.
A short list of reforms has been foreshadowed
as far back as January 2020, when Hong Kong’s
Privacy Commissioner for Personal data (the
PCPD), together with the Constitutional and
Mainland Affairs Bureau (CMAB), presented
a discussion paper outlining topics for reform
of the PDPO to the members of the Legislative
Council (the PDPO Review Paper). The PDPO
Review Paper sets out some important areas
of legislative reform which would modernize
the PDPO, bringing the law closer in line with
international trends.
However, little headway has been made with
the proposed legislative reform so far. In a
briefing to Hong Kong’s Legislative Council
(Hong Kong’s legislative body) (LegCo) on
February 20, 2023, the PCPD announced that
the long-awaited amendments to the PDPO will
be introduced in the first half of 2023, but this
did not come to pass. More recently, the PCPD
reported in a meeting of the LegCo Panel on
Constitutional Affairs on February 17, 2025, that
the comprehensive review of the PDPO was
still ongoing, however they have yet to work
out a concrete plan and timetable to introduce
proposals for legislative amendments.
Proposed legislative changes to
the PDPO
The PDPO Review Paper focuses on the
following areas:
· Mandatory Breach Notification Obligation:
At present, the PDPO requires data users
to take all practicable steps to prevent
unauthorised or accidental access of personal
data. However, unlike an increasing number
of laws internationally, the PDPO does not
include an obligation to notify the PCPD
or impacted data subjects if this provision
has been breached. This lack of a breach
notification requirement was heavily
publicised following the PCPD’s investigation
of a substantial data breach by Cathay Pacific
Airways in 2018. The PDPO Review Paper
proposes a mandatory breach notification,
which would require further formulation on:
(i) how a “personal data breach” is defined;
(ii) the threshold for notification; (iii) the
timeframe for notification (which was
proposed to be done as soon as practicable
and in not more than 5 business days);
and (iv) the method of notification (the
PCPD seemed to consider a formal written
notification to be a more appropriate mode
of notification). A key challenge for the
proposed notification obligation is to strike a
balance between alerting the PCPD of
data breaches whilst avoiding
“notification fatigue”.
· Data Retention: The PDPO’s data protection
principles require data users to ensure
personal data is not kept longer than
necessary for the fulfilment of the purposes
of collection, but does not specify when the
personal data is “no longer necessary”. The
PDPO Review Paper recommends amending
the PDPO to require data users to develop
clear personal data retention policies,
covering the maximum retention period for
different types of personal data, the legal
