BREAKING: Hong Kong Government proposed to amend the Data Protection & Privacy Law in Hong Kong
On 20 January 2020, the Legislative Council Panel on Constitutional Affairs (“LegCo CA Panel”) in Hong Kong discussed about the Hong Kong Government’s proposed amendment directions on the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), namely, LC Paper No. CB(2)512/19-20(03) (the “LC Paper”).
Although the LC Paper is merely indicative and preliminary as to what the Hong Kong Government is proposing to amend and is not yet part of the law, it provides insights of the directions of what to be changed.
Our team at ADG have studied and reviewed the LC Paper, and here are the key takeaways of what you need to know about the proposed amendments:
(1) Currently, there is no statutory requirement for data user to notify the regulatory body, i.e. the PCPD, in the case of a data breach, notification is made on voluntary basis’. The new amendment will introduce a mandatory notification mechanism that requires data user to notify the PCPD. The definition of ‘personal data breach’, ‘notification threshold’, ‘timeframe’ and ‘mode’ are still being assessed.
(2) The PDPO currently does not have a definite retention period for personal data. The new proposed amendment will not introduce a uniform retention period, but would require data users to formulate clear retention policy specifying retention period for personal data.
(3) The PCPD presently has power to issue enforcement notice to data user for contravention of Data Protection Principles (DPPs) under the PDPO. The current maximum penalty for non-compliance with an enforcement notice is HK$50,000 and 2-year imprisonment. The Hong Kong Government is exploring the feasibility of introducing direct administrative fines and the possibility of linking the administrative fine to the annual turnover of the data user and classifying data users of different scales according their turnovers.
(4) The present PDPO framework does not regulate outsourcing of data activities and data processors. The new proposed amendment will introduce direct regulation of data processors.
(5) The definition of ‘personal data’ under the PDPO will be expanded to cover information relating to an “identifiable” natural person that would better satisfy public expectation towards the protection of personal data.
(6) The Hong Kong Government proposed to amend the PDPO to better doxing behaviour more effectively, including but not limited to, conferring on the PCPD powers to request removal of doxing contents and powers to carry out criminal investigation and prosecution.
The proposed amendments, once enacted, may increase the compliance costs of businesses especially for SMEs in Hong Kong. Our research team at ADG will continue to follow-up the development of the proposed changes.
Dated: 21 January 2020