Proposed enhancement of data privacy protection under the Personal Data (Privacy) Ordinance

The Office of the Privacy Commissioner for Personal Data, Hong Kong (the “PCPD”) oversees the enforcement of the Personal Data (Privacy) Ordinance (Chapter 486 of the laws of Hong Kong) (the “PDPO”), which protects individuals’ privacy in relation to personal data.

According to a recent meeting of the Panel on Constitutional Affairs on 19 February 2024 regarding background brief on the work of the PCPD, the PCPD is studying further amendments to the PDPO to enhance personal data protection.

The proposed amendments include establishing a mandatory data breach notification mechanism, requiring data users to have a data retention period policy and giving PCPD the power to impose administrative fines. The Panel on Constitutional Affairs will be consulted once a concrete proposal is formulated.

The summary below highlights some of the key aspects of the PDPO in relation to the proposed amendments advised by the PCPD.

Key Definitions:

• Data user: A person who controls the collection, holding, processing or use of personal data.
• Personal data: Any data— (a)  relating directly or indirectly to a living individual; (b)  from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c)  in a form in which access to or processing of the data is practicable.
• Sensitive personal data: The PDPO does not provide a specific definition of “sensitive personal data”.
• However, the Office of the Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) has issued Codes of Practice/Guidelines setting out specific requirements in respect of certain types of personal data, such as identity card numbers, credit data, biometric data and any personal identifiers.
• Data breach: A suspected or actual breach of the security of personal data held by a data user, which exposes such personal data to the risk of unauthorised or accidental access, processing, erasure, loss or use.
• Data protection principles (“DPPs”): Principles contained in Schedule 1 to the PDPO, outlining how data users should collect, handle and use personal data.

Data Retention Requirements

Pursuant to section 26 of the PDPO and DPP 2, data users must take all practicable steps to erase personal data held when it is no longer needed for the fulfilment of a particular purpose. The current framework offers no specific guidance as to the question of ‘how long is deemed too long’.

Based on the press release titled “LCQ22: Privacy protection for consumer credit data” issued by the Government of the HKSAR on 24 April 2024, the PCPD has been reviewing the PDPO and considering requiring data users to formulate policies on personal data retention period to offer adequate protection for data subjects.

Data Breach Notification

Currently, the PDPO does not provide for a mandatory data breach notification mechanism for data users to inform the PCPD or the affected data subjects about a data breach incident.

Data users are only encouraged to use the “data breach notification form” to notify the PCPD about the types of personal data involved, date of the data breach, number of individuals affected, assessment of the risks of the data breach incident and remedial actions taken.

Based on the press release titled “LCQ22: Privacy protection for consumer credit data” issued by the Government of the HKSAR on 24 April 2024, the PCPD has been considering establishing a mandatory personal data breach notification mechanism, defining personal data breach incident and setting out the threshold and timeframe for notification, etc.

Major Powers of the PCPD

The PCPD is a statutory body responsible for overseeing the enforcement of the PDPO and has the following major powers to ensure the protection of data privacy in Hong Kong:

• Power of Inspection: The PCPD has inspection powers under section 36 of the PDPO to inspect any personal data system used by a data user, in order to make recommendations to such data user relating to the promotion of compliance with the PDPO.
• Power of Investigation and Enforcement: The PCPD has investigatory and enforcement powers to ensure compliance with the PDPO. This includes the power to conduct investigations into breaches of the PDPO, issue enforcement notices, and take legal action against persons that violate the PDPO. However, the PCPD currently has no power to impose administrative fines currently。 It has been considering making amendments to the PDPO which will empower the PCPD to impose administrative fines.
• Complaint Handling: The PCPD is responsible for handling complaints related to the misuse or mishandling of personal data. Individuals can file complaints with the PCPD if they believe their privacy rights have been violated. The PCPD investigates these complaints and takes appropriate actions to resolve the issues.
• Guidance and Policy Development: The PCPD issues guidance notes to recommend best practices for protecting personal data and ensuring privacy rights in Hong Kong. The PCPD also plays an active role in facilitating policy development related to personal data protection and participates in discussions and consultations to shape privacy laws and regulations in Hong Kong.

YYC Legal LLP is in Association with East & Concord Partners (Hong Kong) Law Firm.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please contact us for specific advice.