Last week we were given some insight into the work of the Office of the Privacy Commissioner (PCPD) in the past year and its strategic focus for this upcoming 2023 through a 2022 Review Report and briefing by the Privacy Commissioner to the Legislative Council Panel on Constitutional Affairs (LegCo). Progress on the long awaited reform of Hong Kong’s data protection laws has been slow in the past few years. In this latest report, the PCPD has promised some thought in considering various reforms, but also said they have other strategic priorities, principally data and cyber security and enhanced enforcement. We will need to wait and see what comes in the pipeline of the actual reform agenda in 2023, and whether Hong Kong will be brought more closely in-line with international data privacy ‘best practice’ jurisdictions like the EU’s GDPR or Singapore’s PDPA.
We set out some the key themes from the 2022 Review Report and assess what progress has been made on the law reform agenda for Hong Kong’s key data privacy legislation, the Personal Data (Privacy) Ordinance (Ordinance), Chapter 486 (PDPO).
Privacy Commissioner’s Strategic Priorities for 2023
- Data and cyber security: With increasing digitalisation and prevalence of data and technology across various areas of our lives, the Privacy Commissioner noted the related increase in security risk with respect to personal data. In view of the upward trend in cyberattacks and data breaches, the issue of data security and cybersecurity will be one of PCPD’s strategic focuses in 2023. Further, the PCPD will continue to provide advice and recommendations to the Government and other stakeholders on relevant policies related to the protection of personal data.
- Enhanced enforcement: The PCPD also indicated that enhanced enforcement will be a strategic focus in 2023, including close monitoring of doxxing activities, taking timely enforcement action on all fronts (including issuing cessation notices to platform and website operators to remove doxxing messages and pursuing criminal investigations and prosecutions) and heightening public awareness of data protection issues.
Slow progress on PDPO reforms
In May 2022, in its previous annual review report presented to the LegCo, the PCPD stated that it would continue to explore proposed amendments to the PDPO building on preliminary reform proposals dating back to June 2019. The PCPD has consulted the Legislative Council on preliminary PDPO amendment directions, regarding issues relating to e.g.:
- the definition of personal data
- conferring on PCPD criminal investigation and prosecution powers
- instituting a mandatory data breach notification system
- empowering PCPD to administer administrative fines
- increasing the maximum level of criminal fines
- requiring organisational data users to formulate a clear retention policy with a maximum retention period for personal data.
However progress on reform has been slow and repeated concerns have being voiced by the Legislative Council last year and this year – including with respect to the lack of a mandatory breach notification regime.
The PCDP has countered that they had to prioritise resources to combat doxxing following an upsurge of related activities since 2019. Hence, the PCPD focused its efforts on the introduction and follow-up work of the Personal Data (Privacy) (Amendment) Ordinance 2021 which targets preventing doxxing activities.
An update on the long awaited s33 of the PDPO re data transfers
There has also been slow progress on the reform to impose mandatory legal restrictions against cross-border data transfers outside Hong Kong. This has been provided for under s33 of the PDPO (which prohibits transfers unless certain conditions are met) but the provision is not yet in force and the PCPD seems to recognise that little material progress has been made on this front.
In the 2022 Review Report, the Privacy Commissioner explains (again, as it did in last year’s report) that it has engaged an external consultant to conduct a business impact assessment regarding issues surrounding s33. This study was due to complete by the end of 2017, and will now likely take another year to complete, before the PCPD considers appropriate next steps.
In response to repeated concerns raised by certain member of the LegCo on the lack of progress regarding s33, the PCPD points out that it has published a best practice, non-binding Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data in May 2022, to enhance the practicability and user-friendliness of good cross-border data transfer practices. Whilst this may have advanced some ground on a ‘soft-law’ basis pending determination of the outcome of s33, there was still was no mention of bringing s33 in the summary of the proposed amendments to the PDPO (see below). We will have to wait to see whether this will be in the proposed amendments scheduled for later in the year.
What reform is on the table for 2023?
Despite the lack of progress on reform we can take some comfort from the confirmation by the Privacy Commissioner in the 2022 Review Report, that the agency “is working closely with the Hong Kong Government to comprehensively review the PDPO and formulate concrete proposals for legislative amendments”.
Further, it will “make reference to relevant laws of other jurisdictions and take account of the actual situation in Hong Kong so as to put forward practicable legislative amendment proposals that would strengthen the protection of personal data privacy”. The focus for reform to the PDPO will include:
- establishing a mandatory data breach notification mechanism;
- requiring formulation of a data retention policy, empowering the Privacy Commissioner to impose administrative fines; and
- introducing direct regulation of data processors.
If instituted, these proposed amendments to the PDPO would result in material law reform and updates to the PDPO for Hong Kong and bring the Hong Kong data protection regime closer to more developed regimes.
In terms of timing, the Privacy Commissioner and the HK Government confirmed their target to consult LegCo of the specific legislative proposals concerning the PDPO in the second quarter of 2023. If this timeline is met, concrete legislative proposals to undertake major reforms to the PDPO will likely come this year.
We will monitor these developments closely and provide updates as the legislative reform proposals to the PDPO materialise.