Any organisation processing Hong Kong personal data must plan ahead to anticipate significant new compliance obligations requirements. These are proposed in a recent consultation paper to amend Hong Kong’s Personal Data (Privacy) Ordinance (PDPO), and would – if passed – constitute the first changes to the PDPO since 2012.

Key proposed amendments include:

1. Direct administrative fines linked to annual turnover. This will significantly increase the penalty from a relevant low level of fines (i.e., maximum HKD1 million at present) to a much higher amount calculated by reference to annual turnover.

2. Mandatory data breach notification – to the privacy authority (PCPD) and affected data subjects within a prescribed timeframe (as soon as practicable and not more than five business days).

3. Mandatory data retention policy – organisations would need to formulate – and publish - a clear retention policy which specifies a retention period for the personal data collected.

4. Direct regulation of data processors – direct liability for data security, data retention, and data breach notification.

5. Expanded definition of “personal data” – to cover activities involving anonymised data where individuals can be re-identified.

6. Specific safeguards and sanctions regarding “doxxing”.

It is interesting that the consultation paper does not touch on the subject of overseas data transfers, since a proposal to amend the PDPO to cover this has been passing through the Legislative Council for the last couple of years.

Read a copy of the consultation paper.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.