A new era for data protection in Hong Kong: legislative updates for a digital age?
As 2024 draws to a close, Hong Kong appears on the brink of significant legal reforms that could reshape the landscape of data privacy and cybersecurity. The government has proposed updates to the Personal Data (Privacy) Ordinance (the “PDPO”) and introduced groundbreaking legislation aimed at bolstering cybersecurity for critical infrastructure. This article outlines the: (1) key provisions; (2) implications for various stakeholders; and (3) broader context of data protection and cybersecurity in Hong Kong and the PRC.
Proposed enhancement of data privacy protection under the Personal Data (Privacy) Ordinance
The PDPO has been a cornerstone of data privacy in Hong Kong since its enactment. However, with the rapid evolution of technology and increasing incidents of data breaches, it has prompted the Office of the Privacy Commissioner for Personal Data (the “PCPD”) to advocate for enhancements to the existing framework. Key proposals include the introduction of1:
- Mandatory breach notifications to the PCPD and impacted individuals.
- Direct regulation of data processors under the PDPO.
- Clear personal data retention policies.
- Express and enhanced powers of the PCPD to impose administrative fines.
The proposals are to be welcomed and are important for maintaining Hong Kong’s status as a global financial hub, where data privacy and security are paramount for business operations and consumer confidence.
Implications for stakeholders
The proposed amendments to the PDPO will have far-reaching implications for various stakeholders.
Organisations that handle personal data, including both large corporations and small businesses, will need to revise their compliance frameworks. This will involve conducting data audits to identify and classify personal data they process, as well as developing and implementing new data retention and breach notification policies to align with the updated legal requirements.
Individuals will benefit from enhanced rights regarding their personal data. With mandatory notifications for data breaches, they will have more control and awareness of how their data is handled. This increased transparency is expected to foster greater public trust in organizations’ data management practices.
Legal and compliance teams within organisations will face increased responsibilities to ensure adherence to an updated PDPO. This may involve implementing training programs for staff on new data protection obligations and drafting updated internal policies to reflect the new legal requirements. As the regulatory landscape evolves, legal experts will need to stay informed about emerging trends in data protection.
Hong Kong Privacy Commissioner publishes first comprehensive AI-specific guidance
On 11 June 2024, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” (the “Model Framework”)2. This is the PCPD’s first guidance document targeted at organisations procuring, implementing and using artificial intelligence (“AI”) systems in the context of their compliance with the PDPO. The Model Framework is addressed to organisations that procure AI solutions from third parties and process personal data in their operation or customisation of AI system. In particular, the Model Framework covers recommended measures in the following four areas:
- Establishing AI strategy and governance.
- Conducting risk assessment and human oversight.
- Customisation of AI models and the implementation and management of AI systems.
- Communication and engagement with stakeholders.
The Model Framework and the PDPO
The Model Framework serves as an extension of the PDPO, providing practical recommendations for organisations that operate within the framework of existing privacy law. While the PDPO establishes the legal obligations regarding personal data, the Model Framework offers detailed insights on how to interpret and implement these obligations in the context of AI technology. Where an AI Incident occurs as part of a data breach, the data breach incident response mechanism should be simultaneously engaged. This should also be considered in the context of the potential mandatory breach notification obligation included in the proposed PDPO amendments. If a data breach is involved in the AI incident, the AI incident response should include appropriate considerations for triggering a report and notification mechanism to internal stakeholders and external affected parties such as data subjects and regulatory authorities.
New cyber security legislation: “Protection of Critical Infrastructure (Computer System) Bill”
On 25 June 2024, Hong Kong’s first legislation on cybersecurity was proposed to enhance the protection of computer systems of critical infrastructures (“CIs”) and to regulate the cybersecurity obligations of critical infrastructure operators (“CIOs”). The “Protection of Critical Infrastructure (Computer System) Bill” (the “Proposed Legislation”) will be put before the Legislative Council before the end of 2024. The Proposed Legislation, once enacted, would likely be implemented in a staged approach, with full implementation by 2026.
The objectives of the Proposed Legislation are to strengthen the security of the computer systems of CIs, and minimise the chance of essential services being disrupted or compromised due to cyberattacks.
The Proposed Legislation targets CIOs that are: (1) necessary for the continuous delivery of essential services in Hong Kong; and (2) those maintaining important societal and economic activities in Hong Kong. It will require those CIOs to fulfil baseline requirements set as statutory obligations, from which the CIOs can build up and enhance their capabilities for securing their computer systems with regard to their own needs and characteristics.
The key statutory obligations of CIOs set out in the Proposed Legislation can be categorised as: (1) organisational; (2) preventative; and (3) incident reporting/response.
Interplay between the proposed reforms
The proposed updates to the PDPO, the AI-specific guidance Model Framework, and the Protection of Critical Infrastructure Bill collectively create a cohesive framework for data protection and cybersecurity.
The mandatory breach notification requirement in the proposed PDPO updates aligns with the incident reporting obligations in the Protection of Critical Infrastructure Bill. Both frameworks emphasise the importance of timely communication in mitigating risks associated with data breaches or cyber incidents.
As the PDPO updates introduce direct regulation of data processors, the AI-specific guidance emphasises the need for accountability in data handling practices. Organisations using AI must ensure that their data processors comply with the same obligations, thereby enhancing overall data governance.
Both the AI-specific guidance and the Protection of Critical Infrastructure Bill emphasise the importance of risk assessments. Organisations must identify and mitigate risks associated with AI and cybersecurity threats. This alignment promotes a proactive approach to data protection, encouraging organisations to integrate risk management practices into their operational frameworks.
The proposed updates to the PDPO, the Model Framework, and the Proposed Legislation collectively represent a significant evolution in Hong Kong’s approach to data protection and cybersecurity. By integrating these frameworks, Hong Kong is positioning itself to address the challenges posed by AI and cyber threats effectively.
As organisations adapt to these regulatory changes, they must prioritise compliance and proactive data governance to safeguard personal data and maintain public trust. This holistic approach will be essential in navigating the complexities of the digital landscape while fostering innovation and protecting individual rights.
The way forward: The future legal landscape of Hong Kong’s privacy and cybersecurity laws
The future legal landscape regarding Hong Kong’s privacy and cybersecurity laws is poised for significant transformation, driven by recent developments such as the proposed updates to the PDPO, the Model Framework, and the Proposed Legislation. These frameworks are designed to enhance data protection, accountability, and cybersecurity in an increasingly digital environment. The PDPO updates, with their emphasis on mandatory data breach notifications and direct regulation of data processors, align closely with the evolving expectations for data governance. Meanwhile, the Model Framework encourages responsible AI practices, reinforcing the importance of transparency and risk assessment. Concurrently, the Proposed Legislation highlights the critical need for robust cybersecurity measures for essential services. Together, these developments signal a move towards a more integrated and robust legal framework that fosters greater accountability and trust in the digital economy, positioning Hong Kong as a competitive hub for technology and finance.
With thanks to Anson Cheung for their contribution to this article.
Footnotes
- Security Bureau (2024) LC paper no. CB(2)930/2024(03), Legislative Council Panel on Security Proposed Legislative Framework to Enhance Protection of the Computer Systems of Critical Infrastructure . Available at: https://www.legco.gov.hk/yr2024/english/panels/se/papers/se20240702cb2-930-3-e.pdf
- Privacy Commissioner’s Office Publishes “Artificial Intelligence: Model Personal Data Protection Framework” Privacy Commissioner’s Office Publishes “Artificial Intelligence: Model Personal Data Protection Framework” (pcpd.org.hk)