In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.
Proposed amendments include the introduction of:
- Mandatory data breach notification(s) to the Commissioner and to impacted individuals, in situations where there is “a real risk of significant harm” — the notification needs to be given within five business days from when the entity collecting data (“data user”) becomes aware of the breach;
- Direct regulation of data processors under the PDPO, in relation to personal data retention and security obligations (currently, data processors are not directly regulated under the PDPO because the onus of ensuring compliance by data processors is placed on the data users that retain these processors);
- A requirement for data users to formulate a clear personal data retention policy. However, the Commissioner has indicated that it does not intend to prescribe specific retention periods; and
- Express powers by the Commissioner to impose administrative fines (in addition to existing powers to levy criminal fines). There is also a possibility that the level of administrative fines will be based on annual turnover, similar to the European Union General Data Protection Regulation.
The Commissioner has indicated that the amendments will be finalized in Q2 of 2023. Sidley continues to monitor these developments closely so that clients can make the necessary changes to their privacy programs.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP