Any organisation processing Hong Kong personal data must plan ahead to anticipate significant new compliance obligations requirements. These are proposed in a recent consultation paper to amend Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), and would – if passed – constitute the first changes to the PDPO since 2012.
Key proposed amendments include:
1. Direct administrative fines linked to annual turnover. This will significantly increase the penalty from a relevant low level of fines (i.e., maximum HKD1 million at present) to a much higher amount calculated by reference to annual turnover.
2. Mandatory data breach notification – to the privacy authority (PCPD) and affected data subjects within a prescribed timeframe (as soon as practicable and not more than five business days).
3. Mandatory data retention policy – organisations would need to formulate – and publish - a clear retention policy which specifies a retention period for the personal data collected.
4. Direct regulation of data processors – direct liability for data security, data retention, and data breach notification.
5. Expanded definition of “personal data” – to cover activities involving anonymised data where individuals can be re-identified.
6. Specific safeguards and sanctions regarding “doxxing”.
It is interesting that the consultation paper does not touch on the subject of overseas data transfers, since a proposal to amend the PDPO to cover this has been passing through the Legislative Council for the last couple of years.
Read a copy of the consultation paper.
