Total Tests:

Hong Kong PDPO Compliance and Cybersecurity

Read Time: 5 min.

Personal Data Protection Ordinance (PDPO) is a privacy and personal data protection law in Hong Kong
that regulates how local businesses and organizations may collect, handle and share personal data
by imposing a set of privacy principles and data security obligations.

Hong Kong PDPO Compliance and Cybersecurity

What is PDPO and what does it mean for your business?

Inspired by the OECD Privacy Guidelines and enacted in 1996, the Personal Data Protection Ordinance (PDPO) in Hong Kong is one of the oldest privacy laws in the Asia Pacific region. In 2013, PDPO was significantly modernized, notably to address abusive direct marketing practices and misuse of personal data.

PDPO compliance ImmuniWeb can help you comply with PDPO cybersecurity and data protection requirements. How We Help

What laws and regulations does the PDPO enforce?

PDPO approach to privacy is based on the six foundational Data Protection Principles (DPP) that are described in the Schedule 1 of the Ordinance:

  • DPP1 Purpose and Manner of Collection
  • DPP2 Accuracy and Duration of Retention
  • DPP3 Use of Data
  • DPP4 Data Security
  • DPP5 Openness and Transparency
  • DPP6 Access and Correction

Jointly, the DPPs provide a comprehensive privacy framework that empowers individuals to know and decide how their personal data is processed, stored or shared with third parties. For instance, under PDPO, individuals may request organizations and companies to access their personal data in their possession and demand necessary corrections to be made within 40 days.

Contrasted to some privacy laws that primarily leverage significant monetary penalties to incentivize compliance and deter infringements, PDPO carries out severe criminal sanctions for privacy violations. For instance, the Ordinance harshly penalizes unlawful disclosure of personal data without consent from the concerned data subject: if done to obtain financial gain or cause loss to the data subject, the culpable organizations may be fined up to 1,000,000 HKD and have their executives imprisoned for up to 5 years (PDPO Part 9, Section 64).

Who is covered by PDPO regulation?

Being a technology neutral law, PDPO applies both to private and public sectors in Hong Kong, establishing an overarching privacy and data protection regime.

The Ordinance protects personal data that is broadly construed as “any data relating directly or indirectly to a living individual from which it is practicable for the identity of the individual to be directly or indirectly ascertained” (PDPO Part 1, Section 2) with some narrow exceptions for personal data handled in the process of employment (PDPO Part 8, Sections 53 and 54).

PDPO covers “Data Users” that collect and decide how to use personal data, also known as Data Controllers under the European GDPR, but does not impose direct obligations or duties on Data Processors who merely process personal data on behalf of Data Users following their instructions.

Importantly, Data Users must ensure that their Data Processors duly comply with the PDPO data security requirements by the virtue of contract or other appropriate mean. Data Users will be directly liable for their negligent suppliers and careless vendors in case of a data breach stemming from Data Processor’s failure to comply with PDPO.

What are the penalties for PDPO violations?

Compliance with PDPO is enforced by the Office of the Privacy Commissioner for Personal Data ("the Commissioner"). The Commissioner may investigate suspected violations of PDPO upon receipt of a complaint or at its own discretion, enjoying a fairly broad investigatory power in Hong Kong (PDPO Part 2, Section 8).

If an investigation eventually concludes that certain provisions of PDPO were violated, the Commissioner may issue an enforcement notice to the data user and order to implement appropriate remediation steps and terminate unlawful data processing practices.

In Hong Kong, disobedience to the Commissioner’s enforcement notice is a criminal offense (PDPO Part 9, Section 64) that may result in a monetary fine of up to 50,000 HKD and imprisonment for up to 2 years, with a daily penalty of 1,000 HKD. Any subsequent violations can result in a fine of up to 100,000 HKD and imprisonment for 2 years, with doubled daily penalty of 2,000 HKD.

In addition to the harsh penalties administered by the Commissioner, aggrieved individuals may also file individual lawsuit and claim damages (PDPO Part 9, Section 66) caused by mishandling or insufficient protection of their personal data in violation of the Ordinance.

What are the cybersecurity requirements under PDPO?

The Data Protection Principle (PDPO Schedule 1, Section 4) prescribes data users to take all practical steps to ensure that all personal data held by the data user is protected against unauthorized or accidental access, processing, erasure or loss. These inclusive safeguarding requirements cover any equipment where the data is stored, including third-party systems, SaaS solutions and cloud.

The Ordinance likewise instructs data users to take any measures for ensuring integrity, prudence and competence of persons having access to the personal data thereby minimizing human risks.

Jointly with the Singaporean PDPC, the Hong Kong Privacy Commissioner issued practical and detailed technical guidelines “Data Protection by Design for ICT Systems” that instruct, among other things, using HTTPS instead of HTTP, running regular web security testing for OWASP Top 10 vulnerabilities, and protecting web applications with a WAF.

The data protection guidelines also advise regular performance of penetration testing and vulnerability assessment by a qualified third-party provider prior to deployment of web applications into production and after every major update.

Eventually, the Ordinance mandates secure erasure of data that is no longer required (PDPO, Part 5, Section 26) and imposes severe penalties for non-compliance. Thus, up2date data inventory and visibility are essential to satisfy this requirement and compliance with PDPO.

PDPO compliance ImmuniWeb can help you comply with PDPO cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements under PDPO?

Currently, in Hong Kong there is no mandatory data breach notification requirement under PDPO, however, the Commissioner issued non-binding data breach notification guidelines. Compliance is highly encouraged and advised, and may potentially serve to reduce penalties for negligent data protection practices in case of a data breach.

The guidelines suggest immediate breach impact analysis to assess the gravity and scale of possible harm. In case of a tangible risk for the affected individuals, the guidelines call for undelayed notification to the victims, the Commissioner and competent law enforcement agencies in Hong Kong, alongside taking all appropriate technical, administrative and legal measures to mitigate foreseeable harm to the victims.

What are the supply chain security requirements under PDPO?

The Data Protection Principle (PDPO Schedule 1, Section 4) emphasizes that data users are accountable and liable for actions of their processors including vendors and third-party providers that have access to the personal data: “if a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual or other means to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing.”

Therefore, risk-based vendor vetting and ongoing monitoring of your vendors and their factual capacity to comply with the PDPO data protection requirements will reduce the risk to end up with civil and criminal sanctions exacerbated by individual lawsuits filed by the victims (PDPO Part 9, Section 66) in a case of a data breach.

What are the upcoming PDPO updates?

Currently, several major amendments to PDPO are being prepared and will likely include: significant increase of monetary penalties and possible attachment of fines to annual revenue of perpetrators, mandatory data breach notifications and direct liability for data processors. These changes are scheduled to take place in 2021 or early 2022.

Introduction to PDPO by OneTrust

List of authoritative PDPO resources

Share on Twitter Share on LinkedIn Share on Facebook
Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential