Global menu

Our global pages

Close

Hong Kong is on its way to a mandatory data breach notification regime

  • United Kingdom
  • Financial services disputes and investigations
  • Litigation and dispute management

14-04-2021

In this digital age, more and more information is stored and processed in electronic form. If a financial institution can make better use of its data, it will likely have an impact on the business performance.

One key data set that financial institutions need to get a good grasp of is personal data. Used properly, personal data will help to facilitate better service to a financial institution’s customers. However, any unauthorized leakage of personal data would result in harm to customers which in turn may results in significant financial and reputational ramifications.

Our team of international lawyers, many of whom have experience working in national regulators, have advised a lot of financial institutions in conducting investigations into data breaches of different nature – ranging from minor ones which are results of inadvertence by a member of staff, to large scale malicious hacking and attacks on our client’s IT systems.

Apart from advising clients on the investigations, an important issue that needs to be carefully considered at an early stage is whether notification should or must be given by the financial institutions, whether to the appropriate authorities or the customers affected. Different jurisdictions may have different requirements. In this article, we will discuss the upcoming changes in the notification requirements in Hong Kong.

A number of recent major personal data breach incidents inside and outside of Hong Kong have raised public concerns about the inadequacy of the Personal Data (Privacy) Ordinance (PDPO). The lack of a mandatory data breach notification regime has been recognised as a possible shortcoming of the PDPO by comparison to international best practice.

At present, it is not mandatory under the PDPO for data users to notify authorities or data subjects of data breaches. A voluntary notification system is in place, which is based on the Guidance on Data Breach Handling and the Giving of Breach Notifications (Guidance). The Guidance recommends prudential notification as a matter of good practice, in situations when a real risk of harm is reasonably foreseeable in a data breach.

In 2020, the Constitutional and Mainland Affairs Bureau of the Hong Kong Government (Bureau), in collaboration with the Privacy Commissioner for Personal Data (Commissioner), proposed amendments to the PDPO, including the introduction of a mandatory data breach notification mechanism.

Under the proposed regime, data users would be required to report a data breach having “a real risk of significant harm” to the Commissioner and the impacted individuals within a specified period. A “personal data beach” would include data security breach leading to unlawful or accidental destruction, alteration, loss, unauthorized disclosure of, or access to personal data. The Commissioner would be empowered to direct the data user to notify the impacted individuals.

It is expected that the Bureau and the Commissioner will publish more details in relation to these areas of the proposed regime:

  • Notification thresholds: whether notifications to the Commissioner and to impacted individuals will be subject to the same threshold, and what factors should be taken into account in determining whether the threshold is met;
  • Notification timeframe: whether data user should be allowed time to investigate the suspected data breach before making the notification; and
  • Templates and guidelines concerning notification content.

We will continue monitor developments in this area and provide comments to any proposals published by the Hong Kong Government. It is important for financial institutions to appreciate that different jurisdictions have different notification requirements. In the event of a data incident, particularly one with cross-border element, it would be very important to consider all these requirements and synchronize any notifications to be given.

For more information, please contact: