Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 32
32
Hogan Lovells
requirements that may affect those retention
periods and how those retention periods
are calculated.
guidelines for organisations adopting AI; and
(iii) the enactment of the Protection of Critical
Infrastructure (Computer System) Bill.
· Fines and Sanctions: At present, the PCPD
may issue an enforcement notice requiring
a data user to remediate its breach of the
data protection principles. A breach of an
enforcement notice may result in a Level
5 fine (HK$50,000) (approx. USD 6500)
and imprisonment for two years on first
conviction. To increase the deterrent effect of
these fines, the PDPO Review Paper proposes
to increase these fines and to allow the PCPD
to issue administrative fines.
Hong Kong received a potential boost from
a data protection perspective with the
publication in December 2023 by the CAC
and Hong Kong’s Innovation, Technology and
Industry Bureau of implementation guidelines
for standard contracts for cross-boundary flows
of personal data within the GBA.
The requirements for the GBA standard
contracts are noticeably relaxed when
compared to the general review of international
data transfers from China. However, the
GBA arrangements apply only to transfers
of personal data controlled in Guangdong
province, and do not permit onward transfer of
personal data from Hong Kong.
· Regulation of Data Processors: Currently, the
PDPO only regulates data users and not data
processors, but the PDPO does require data
users to ensure that data processors adopt
measures to protect personal data. The PDPO
Review Paper goes further and proposes
regulatory oversight directly over
data processors.
· Definition of Personal Data: The PDPO
Review Paper proposes to expand the
definition of “personal data” to include
data that relates to an “identifiable” natural
person as opposed to the current definition
of an “identified” natural person. This would
cover more categories of data, for example,
tracking and behavioural data generated by
big-data tools.
As privacy regimes in the mainland and other
APAC jurisdictions continue to evolve, the
PDPO appears to be increasingly out of step
with international standards. It remains to be
seen whether there would be more concrete
developments for the proposed PDPO
reform in 2025.
Despite the stagnant reforms for Hong Kong’s
primary privacy legislation, progress has
been made on other fronts, as seen in: (i)
the launch of the GBA standard contract
initiative; (ii) the release of data protection
In addition, the PCPD provided guidance on
how organisations could harness the benefits
of AI while safeguarding personal data privacy.
The PCPD published a model framework for
personal data protection on June 11, 2024,
targeting organisations that procure AI
solutions and process personal data in their
operation of AI system. It covers a set of best
practices in the following four areas:
· Establishing AI strategy and governance;
· Conducting risk assessment and
human oversight;
· Customisation of AI models and the
implementation and management of AI
systems; and
· Communication and engagement
with stakeholders.
Meanwhile, as the use of generative AI
becomes more prevalent, the PCPD also
issued guidelines for the use of such tools by
employees in the workplace in March 2025 to
assist organisations in the development of
internal policies while complying with
the PDPO.
