Hong Kong regulator to further amend rules on personal data protection

In a report on its work in 2022 (20-page/970KB PDF) to the Legislative Council, the Office of the Privacy Commissioner for Personal Data (PCPD) said that it is working closely with the Hong Kong SAR administration to review the PDPO in some specific areas. These include setting up a mandatory data breach notification mechanism, requiring a data retention policy, empowering the Privacy Commissioner to impose administrative fines, and introducing direct regulation of data processors. The PCPD is aiming to publish more substantive plans in the coming months.

Technology expert Jennifer Wu of Pinsent Masons said: “With cybersecurity being a priority in Hong Kong SAR, it is not surprising that mandatory data breach notification is on the cards for amendments. This time round, companies should make sure their internal data policies and group data policies are in order before these changes occur. 2023 is the time to get cyber ready.”

Apart from amending the current PDPO, data security and cybersecurity issues will be another strategic focus of the PCPD in 2023. As a recap of PCPD’s work in this area, the PCPD published a guidance note on data security measures around information and communications technology in August 2022.  This guidance note set out the PCPD’s recommended data security measures to ensure compliance with the PDPO and offered useful pointers for data users – known as data controllers – on how to formulate and strengthen their data security systems.

In regional and international collaboration, the PCPD has been keen on collaborating with the wider privacy protection community, both regionally and internationally. In 2022 the PCPD signed a renewed Memorandum of Understanding (MOU) with the Personal Data Protection Commission of Singapore to strengthen the liaison and collaboration between the two regulatory authorities. This is done by facilitating the exchange and sharing of best practices of data protection policies and enforcement actions, coordination of mutual assistance in joint investigations into cross-border personal data incidents, and cooperation in education and training.