The Privacy Commissioner in Hong Kong briefed the Panel on Constitutional Affairs of the Legislative Council on 20 February 2023 (“Legco Briefing”) regarding its proposed efforts to put forward further amendments to the Personal Data (Privacy) Ordinance (“PDPO”).
This is the latest proposed legislative effort preceded by the recent PDPO changes taken place in 2021 which introduced the criminalisation of doxxing behaviours (see our previous summary and our subsequent reporting).
New or earlier proposed changes?
Watchful observers will notice that the references made by the Privacy Commissioner in the Legco Briefing stem from a set of changes first proposed in a discussion paper published in 2020 by the Hong Kong Constitutional and Mainland Affairs Bureau. A summary of which has been reported here in our earlier briefing.
Whilst the fact that the Legco Briefing included (i) mandatory breach notification; (ii) formulation of data retention policy; (iii) greater powers for the Privacy Commissioner to impose administrative fines; and (iv) direct regulation of data processors indicates a continuance of the proposed changes first included in the 2020 discussion paper, the following remains to be seen.
Where to, what next?
The Privacy Commissioner clearly expressed its intention to consider the data protection laws of other jurisdictions whilst accounting for the practicalities of implementation in Hong Kong. Comparative parallels drawn by the upcoming PDPO amendments will be closely monitored by practitioners in this region given the latest data protection and cybersecurity regulatory developments in the rest of the world, including China.
The Privacy Commissioner will be working closely with the Hong Kong Government in proposing these legislative amendments in the second quarter of 2023.