【香港 Hong Kong】資料私隱法例修訂 Changes to Data Privacy Law

原文發佈於 香港總商會月刊 – The Bulletin (May 2023)】

Originally published in The Bulletin – Hong Kong General Chamber of Commerce Monthly (May 2023)】


Businesses should start preparing for a major strengthening of Hong Kong’s data privacy legislation, likely to take effect within the next year or so.

政府曾於 2020 年 1 月向立法會提交的討論文件中提及有關變動。經過三年後,個人資料私隱專員(私隱專員)於今年 2 月 20 日宣布,政府及個人資料私隱專員公署有意在第二季(即 6 月底前)公布具體的修例建議,並諮詢立法會意見。

The changes were foreshadowed in a discussion paper presented by the Government to LegCo in January 2020. Just over three years later, the Privacy Commissioner for Personal Data (“Privacy Commissioner”) announced on 20 February this year that she, along with the Government, are intending to publish, and consult LegCo on, specific legislative proposals in the second quarter of this year, i.e. by the end of June.


What are these proposed changes? Those likely to be of most concern to Hong Kong businesses are:

  • 大幅加重違反《個人資料(私隱)條例》(條例)的罰則。
  • A significant strengthening of the sanctions for contravening the Personal Data (Privacy) Ordinance (“PDPO”).

  • 規定必須向私隱專員通報重大資料外洩事故。
  • Compulsory reporting of significant data breaches to the Privacy Commissioner.

  • 新規定要求企業就不同類別的個人資料設定保留期限,並公開其資料保留政策。
  • A new requirement on businesses to specify retention periods for different classes of personal data, and to publish the business’s data retention policy.

  • 直接要求第三方資料處理者遵守條例(目前「資料使用者」,即持有個人資料的企業,須就其委託處理個人資料的第三方承辦商的行為負責,承辦商本身並無責任)。
  • Direct requirements on third party data processors to comply with the PDPO (at present businesses holding personal data – “data users” – are responsible for the actions of third party contractors to whom they entrust the handling of personal data – these contractors are not themselves liable).


This article looks at each of these proposed changes in turn.


Strengthening of Sanctions


Currently, the Privacy Commissioner cannot directly impose penalties on businesses that contravene the PDPO. The Commissioner must first issue an enforcement notice on the business, directing it to remedy the contravention. Only if the enforcement notice is breached can the Commissioner then ask the court to impose a penalty on the business concerned.

此外,違反執行通知的罰款水平相對較輕,最高罰款為 5 萬元。

Moreover, the maximum level of penalty for breaching an enforcement notice is relatively modest: $50,000.

政府提出的修例建議分為兩大方向。首先是賦權私隱專員直接判處懲罰,無須事先發出執行通知,而倘違反 執行通知,私隱專員亦無須請求法 院處以罰則;其次為上調最高罰款額,政府建議將最高罰款額與涉事企業的營業額掛鉤,惟最高罰款額有待明確。

The Government is proposing to change the law in two major respects. First, by giving the Commissioner the right to impose penalties directly, without the need to issue an enforcement notice, and without the need to go to the court asking for a penalty to be imposed if the enforcement notice is breached. Secondly, by increasing the maximum level of penalty. The Government is proposing to link the maximum level of penalty to the turnover of the business concerned. But what the maximum level will be is not yet clear.


Compulsory Reporting of Significant Data Breaches


The Government is proposing to introduce a new requirement on businesses whose personal data is leaked – whether accidentally or deliberately (a so-called “data breach”) – to report the data breach to the Privacy Commissioner.


Currently there is no requirement to do so: the business is free to decide whether or not to report the data breach. The Government has suggested compulsory notification within five days of the data breach, but there is a possibility that the business may be allowed an initial period to investigate the circumstances of the breach before the five day period starts ticking.


Not all data breaches would require to be reported – only those where there is “a real risk of significant harm” to the individuals concerned. The Government has indicated that some guidance will be offered on the factors that will be taken into account in assessing whether there is a real risk of significant harm.


Data Retention Policies


Currently, the PDPO provides that data users shall take all practicable steps to ensure that personal data is not kept any longer than is necessary for the purpose for which it is to be used. It does not specify any particular periods for retention.


Under the new proposals, however, data users will be required to set specific retention periods for particular categories of personal data, depending on the purposes for which it is to be used (such as for compliance with taxation or employment law).


In addition, data users would be required specifically to include a data retention policy in the personal data policy that they are already required to publish.


Direct Liability of Third Party Processors


Businesses often have to transfer the personal data they hold to third party contractors, and entrust them with the handling of the personal data. These contractors (or, to use the Ordinance’s terminology, “processors”) could, for example, be storage companies (where the company does not have sufficient physical capacity to store the data); debt collection agencies; or companies with which they are engaging in joint promotional campaigns to customers.


Currently, the PDPO requires date users who engage such third party processors to use contractual or other means to ensure that these processors ensure the security of the personal data, and do not keep it for longer than is necessary. If the data user fails do this, or if the measures it has put in place fail, it is the data user that is potentially liable for contravention of the PDPO, not the third party processor.


Given the increasing use of third party processors, the Government is proposing to impose direct liability on them, if they fail to ensure the security of personal data, or keep it for longer than is necessary.

為了在新規定生效後符合要求,第三方處理者顯然需要設立資料保障制 度。另一方面,資料使用者是否須繼續遵從現行要求,以合約或其他方式確保處理者合規,則仍有待確定。換言之,倘發生違例、資料外洩事故,或資料保存時間超過實際所需的情 況,資料使用者和處理者是否須就此承擔責任,仍屬未知之數。

Third party processors will clearly need to make extra-sure that they have systems in place to comply with these new requirements, if they become law. For data users, it is not yet clear whether their existing requirement, to have contractual or other means to ensure the processors’ compliance, will continue apply. In other words, it is not clear whether the data user could be held liable for a breach of the PDPO, as well as the processor, if there is a data breach, or if data is kept longer than is necessary.

結論 Conclusions


So far, only limited details of the Government’s proposals have been published, and several issues have not yet been clarified. These issues include the maximum level of penalty, what will constitute a “real risk of significant harm” such as to trigger mandatory notification of a data breach to the Commissioner, and the respective liabilities of the data user and data processor if the latter is responsible for a data breach. So the “devil will be in the detail” of the specific proposals that the Government presents to LegCo. As noted above, it is intending to do so in the second quarter of this year.

有關提案至今獲立法會議員廣泛支 持,預料立法程序將可在短期內完 成,故企業宜密切監察修例的進展。

Businesses would be well-advised to monitor these developments closely. This is especially the case, as the proposals thus far seem to have enjoyed considerable support amongst LegCo members, and the proposals may therefore be expected to proceed swiftly through the legislative process.