There is a possibility of classifying data users of different scales according to their turnovers to match with different levels of administrative fines. If these Privacy Reforms are enacted into Hong Kong legislation, businesses will need to assess and possibly adjust their data collection and storage systems and processes and policies, conduct appropriate training as well as review their contracts for contractual enhancements to mitigate risk and liability. We are continuing to follow government advice regarding remote and socially distanced working, and we are currently holding client meetings and events online and/or by phone where possible.

Director, Given technological advancements over the past two decades and a number of high profile data breach incidents such as the Cathay and Vtech data breaches, the proposed areas of data privacy reform raised in the Privacy Reform paper should be considered a positive step in modernising Hong Kong’s data protection regime to suit the demands of the current digital era and to more align with international best practice. Find out more.

Despite the Privacy Commissioner encouraging compliance, section 33 of the PDPO, which generally prohibits offshore transfers of data unless certain conditions are met has never been implemented formally in Hong Kong. Nonetheless, the Privacy Reforms are the most significant series of proposed data privacy law changes in Hong Kong since the PDPO was first enacted. Osborne Clarke is an international legal practice headquartered in London, England with offices in the United Kingdom, Germany, Italy, Belgium, Spain, Sweden, France, the Netherlands, China, Hong Kong, India, Singapore and the United States. India, Partner,

Osborne Clarke is an International legal practice, with offices situated around Europe, Asia and the USA. Register now for more insights, news and events from across Osborne Clarke. Some of these data privacy matters not under consideration in the Privacy Reforms include: The proposed added sanctions powers of the Privacy Commissioner as part of the Privacy Reforms broadly meets expectations where there has been a general sense that the Privacy Commissioner’s powers were lacking, especially in context of doxxing incidents and data breaches/fines. There has been a large increase in complaints about ‘doxxing’ – which generally refers to the non-consensual disclosures of personal data such as photographs, name and other details, with an intent to cause psychological harm or other loss often through social media platforms and websites. From health apps and virtual consultations, to 3D printing at home and augmented reality – what do these trends mean for your business? This would largely expand the parameters of the “personal data”, which would be extended to cover all location data and online identifiers such as IP address, email address, user name which may be traceable to an individual to be "personal data". It also proposes amending Data Protection Principle 5 to expressly require data users to include a data retention policy in their privacy policies, to improve individuals' right to monitor the execution of the policy and to improve transparency. The timeframe of up to five business days for mandatory breach notification outlined in the Privacy Reforms represents a middle ground compared to strict jurisdictions like the EU under GDPR – which imposes a notification timeframe of 72 hours – and jurisdictions like Australia (which allows up to 30 days from becoming aware of a data breach likely to cause serious harm) and Singapore (which allows up to 30 days to investigate a data breach, and within 72 hours of determining a data breach is notifiable). The Employment (Amendment) Bill 2019 was published in the Hong Kong Government Gazette on 27 December 2019. Michael discussed the power and…. Osborne Clarke’s Asian offices extend our digital focus in our specialist sectors throughout the Asia Pacific region and beyond. In the period from 14 June 2019 alone, the Privacy Commissioner received some 4,700 doxxing related complaints and enquiries. Currently, data users are obliged to erase personal data when it is no longer necessary. Given handling and use of data is a critical aspect of all businesses, understanding and planning for the proposed reforms will be important for all businesses that operate in Hong Kong or collect personal data from Hong Kong. Connect with our experts - search over 270 Partners and more than 850 talented lawyers, working in 8 core sectors in 24 international locations. Osborne Clarke Hong Kong Update | June 2019 Legal and Market Insights Hong Kong awards first Virtual Banking licences On 27 March 2019, the Hong Kong Monetary … *This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation. In response to this, the Privacy Commissioner is proposing amending the PDPO to give it the statutory power to request the removal of doxxing content from social media platforms or websites, and the power to carry out criminal investigations (including in the absence of a compliant from the data owner) and prosecution. The proposals include requiring data processors to be directly accountable for data retention and data security and to notify the Privacy Commissioner upon their being aware of any personal data breaches.

On 20 January 2020, the Hong Kong Legislative Council Panel on Constitutional Affairs (LegCo Panel) met to discuss proposed reforms to Hong Kong’s data protection law, the Personal Data (Privacy) Ordinance (Cap 486) (PDPO). The proposed Privacy Reforms represent a major enhancement of personal data protection in Hong Kong, including strengthening of enforcement powers of the Privacy Commissioner. Osborne Clarke's Asian offices extend our digital focus in our specialist sectors throughout the Asia Pacific region and beyond.