Total Tests:

Hong Kong PDPO Compliance and Cybersecurity

Read Time: 6 min. Updated: October 19, 2023

The Personal Data (Privacy) Ordinance (PDPO) is a privacy and personal data protection law in Hong Kong.
It regulates how local businesses and organizations may collect, handle and share personal data,
by imposing a set of privacy principles and data security obligations.

Hong Kong PDPO Compliance and Cybersecurity

What is PDPO and what does it mean for your business?

Inspired by the OECD Privacy Guidelines and enacted in 1996, the Personal Data (Privacy) Ordinance (PDPO) in Hong Kong is one of the oldest privacy laws in the Asia Pacific region. Enforced by the Office of the Privacy Commissioner for Personal Data (PCPD), the PDPO regulates the collection and handling of personal data. In 2013, the PDPO was significantly modernized, notably to address abusive direct marketing practices and misuse of personal data. It was further amended in 2021, providing the PCPD with more enforcement powers and criminalising doxxing acts.

PDPO compliance ImmuniWeb can help you comply with PDPO cybersecurity and data protection requirements. How We Help

What laws and regulations does the PDPO enforce?

The PDPO approach to privacy is based on six foundational Data Protection Principles (DPP) that are described in Schedule 1 of the Ordinance:

  • DPP1 - purpose and manner of collection of personal data
  • DPP2 - accuracy and duration of retention of personal data
  • DPP3 - use of personal data
  • DPP4 - security of personal data
  • DPP5 - information to be generally available
  • DPP6 - access to personal data

The DPPs provide a comprehensive privacy framework that empowers individuals to know and decide how their personal data is processed, stored or shared with third parties. For instance, under the PDPO, individuals may request access to their personal data held by organizations and companies, and demand any necessary corrections be made within 40 days.

In contrast to some privacy laws that primarily leverage significant monetary penalties to incentivize compliance and deter infringements, the PDPO includes severe criminal sanctions for privacy violations. For instance, the Ordinance harshly penalizes unlawful disclosure of personal data without consent from the concerned data subject, with potential imprisonment of executives (of up to 5 years) and fines of up to 1,000,000 HKD (PDPO Part 9, Section 64) in the case of egregious offences (e.g. if done on purpose for financial gain or to cause loss to the data subject).

Who is covered by PDPO regulation?

Being a technology neutral law, the PDPO applies both to private and public sectors in Hong Kong, establishing an overarching privacy and data protection regime.

The Ordinance protects personal data that is broadly construed as “any data - (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained” (PDPO Part 1, Section 2) - with some narrow exceptions for personal data handled in the process of employment (PDPO Part 8, Sections 53 and 54).

The PDPO covers “Data Users” that collect and decide how to use personal data, also known as Data Controllers under the European GDPR, but does not impose direct obligations or duties on Data Processors who merely process personal data on behalf of Data Users following their instructions.

Importantly, Data Users must ensure that their Data Processors duly comply with the PDPO data security requirements by virtue of contract or other appropriate means. Data Users are directly liable for their negligent suppliers and careless vendors in the case of a data breach stemming from a Data Processor’s failure to comply with the PDPO.

What are the penalties for PDPO violations?

Compliance with the PDPO is enforced by the PCPD. The PCPD may investigate suspected violations of the PDPO upon receipt of a complaint or at its own discretion, enjoying a fairly broad investigatory power in Hong Kong (PDPO Part 2, Section 8).

If an investigation eventually concludes that certain provisions of the PDPO were violated, the PCPD may issue an enforcement notice to the data user and order appropriate remediation steps alongside termination of unlawful data processing practices.

In Hong Kong, disobedience to the PCPD’s enforcement notice is a criminal offense (PDPO Part 9, Section 64) that may result in a monetary fine of up to 50,000 HKD and imprisonment for up to 2 years, with a daily penalty of 1,000 HKD. Any subsequent violations can result in a fine of up to 100,000 HKD and imprisonment for 2 years, with a doubled daily penalty of 2,000 HKD.

In addition to the harsh penalties administered by the PCPD, aggrieved individuals may also file individual lawsuits and claim damages (PDPO Part 9, Section 66) caused by mishandling or insufficient protection of their personal data in violation of the PDPO.

ImmuniWeb Newsletter

Get exclusive updates to cybersecurity laws and regulations:

Private and Confidential Your data will stay private and confidential

What are the cybersecurity requirements under the PDPO?

The Data Protection Principle (PDPO Schedule 1, Section 4) prescribes data users to take all practical steps to ensure that all personal data held by the data user is protected against unauthorized or accidental access, processing, erasure or loss. These inclusive safeguarding requirements cover any equipment where the data is stored, including third-party systems, SaaS solutions and cloud computing services.

The PDPO likewise instructs data users to take any measures for ensuring the integrity, prudence and competence of persons having access to personal data, thereby minimizing “human” risks.

The PDPC issued a guide in 2019 (in conjunction with the Singaporean PDPC) entitled “Data Protection by Design for ICT Systems”. Among other things, this guide recommends using HTTPS instead of HTTP, running regular web security testing for OWASP Top 10 vulnerabilities, and protecting web applications with a WAF.

Jointly with the Singaporean PDPC, the Hong Kong Privacy Commissioner issued practical and detailed technical guidelines “Data Protection by Design for ICT Systems” that instruct, among other things, using HTTPS instead of HTTP, running regular web security testing for OWASP Top 10 vulnerabilities, and protecting web applications with a WAF.

The guide also notes that it is good practice to conduct regular penetration testing and vulnerability assessment by a qualified third-party provider prior to deployment of web applications into production and after every major update.

The PDPO also mandates the secure erasure of data that is no longer required (PDPO, Part 5, Section 26) and imposes severe penalties for non-compliance. It’s therefore important to ensure an up-to-date data inventory to maintain compliance with the PDPO.

PDPO compliance ImmuniWeb can help you comply with PDPO cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements under the PDPO?

Currently, in Hong Kong there is no mandatory data breach notification requirement under the PDPO. However, the PCPD has issued non-binding data breach notification guidance. Compliance with this guidance is highly encouraged and advised, and may potentially serve to reduce penalties for negligent data protection practices in the case of a data breach.

The guidance suggests immediate breach impact analysis to assess the gravity and scale of possible harm. In case of a tangible risk for the affected individuals, the guidance calls for undelayed notification to the victims, the Commissioner and competent law enforcement agencies in Hong Kong, alongside taking all appropriate technical, administrative and legal measures to mitigate foreseeable harm to the victims.

What are the supply chain security requirements under the PDPO?

Schedule 1, principle 4, section 2 of the PDPO emphasizes that data users are accountable and liable for actions of their processors, including vendors and third-party providers, that have access to any personal data they hold: “if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.

Therefore, risk-based vendor vetting and ongoing monitoring of vendors, and their capacity to comply with the PDPO data protection requirements, will reduce the risk of any potential civil and criminal sanctions - exacerbated by individual lawsuits filed by the victims (PDPO Part 9, Section 66) - in the event of a data breach.

What are the upcoming PDPO updates?

Further amendments to the PDPO were expected in 2023. In a briefing to the Legislative Council in February 2023, the PCPD mentioned that they were working with the Government to bring forward amendments including:

  • Making data breach notification mandatory
  • Requiring data retention policies
  • Providing powers to the PCPD to impose administrative fines
  • Regulating data processors directly

However, there have been no further announcements as of October 2023, so it may be that these amendments will be pushed back to 2024.

It’s worth noting that a Memorandum of Understanding has been signed by the Cyberspace Administration of China and the Hong Kong administration, to essentially ease cross-boundary transfers of personal data from mainland China to Hong Kong.

Introduction to PDPO by OneTrust

List of authoritative PDPO resources

Share on LinkedIn
Share on Twitter

Share on WhatsApp

Share on Telegram
Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential