Global menu

Our global pages


Changes on the horizon in 2020: China and Hong Kong’s proposed reforms to data protection, cyber security and Internet content regulation

  • Asia
  • Technology, Media and Telecoms


2020 looks set to be a significant year for privacy, cyber security and Internet content reforms in China and Hong Kong.

On 20 December 2019, the Cyberspace Administration of China released the “Regulation on Governance of Internet Information Content Ecosystem” (Regulation). The Regulation will come into force on 1 March 2020, supplementing China’s existing National Security Law, Cybersecurity Law and Measures for the Administration of Internet Information Services.

The Regulation seeks to prohibit the publication of inappropriate content by “Internet information content producers” across various digital platforms and forums. The Regulation expands upon the existing list of prohibited content under the Cybersecurity Law to include content that “distorts, insults, defames or otherwise infringes names, portraits or reputations” of individuals of prominent standing within China. It is worth noting that the Regulation applies to “Internet information content producers” and “Internet information content service platforms”. The Regulation appears to cast a wide net in respect of “Internet information content producers” and likely encompasses a broad range of organisations and users, including any user creating content for publication on the Internet. “Internet information content service platforms” includes Internet forums, blogs, social media sites, etc., and such platforms are required to implement appropriate measures to prevent the publishing of prohibited content on the Internet. The consequences for failing to comply with the Regulation include both civil and criminal liability, whereas “serious violations” may be subject to certain restrictions by the relevant Cyberspace administration authorities, including restrictions on business operations and Internet activities generally.

Also on 20 December 2019, the Legislative Affairs Commission of the Standing Committee of the National People’s Congress of China announced that the Government will formulate new data laws—the Personal Data Protection Law and the Data Security Law—in 2020. It is not yet known how these new laws intend to operate alongside the existing data privacy and cybersecurity legal regulations, specifically the Cybersecurity Law. That being said, it is anticipated that these new laws will serve to revamp (and possibly consolidate) the existing data protection and cyber security landscape in China.

Additionally, on 30 December 2019, the Cyberspace Administration of China published further guidance entitled “Identifying Illegal Collection and Use of Personal Data via Apps” setting out specific instances in which the collection and use of personal data via an “App” is considered unlawful. Importantly, the guidance requires the operators of such “Apps” to ensure that their privacy policies and collection statements are made available in simplified Chinese and appear in pop-up windows or other noticeable ways. In addition, the policies and collection statements must be easily accessible by users, specifically, accessible within four “clicks”.

In Hong Kong, the Legislative Council Panel on Constitutional Affairs (Panel) released a discussion paper (Paper) on 13 January 2020 which proposes amendments to Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The Paper forms part of the Panel’s agenda for its meeting on 20 January 2020. In particular, the proposed reforms focus on six specific amendments which include:

  1. Establishing a mandatory data breach notification mechanism;
  2. Strengthening the regulation on data retention periods (including possibly requiring data users to have data retention policies in place);
  3. Imposing regulations on data processors directly;
  4. Increasing penalties of non-compliance with the PDPO;
  5. Revising the definition of “personal data” to include “identifiable” natural persons (rather than an “identified” persons), in part due to the more prevalent use of tracking and data analytics technology; and
  6. Regulating the deliberate disclosure of personal data of other data subjects (i.e. “doxxing”).

A further in-depth study on these proposed reforms will be conducted with the Office of the Privacy Commissioner for Personal Data and relevant stakeholders are intended to be consulted in due course.

In light of the rapid legislative developments and future plans proposed in the areas of Internet content, data protection and cyber security generally across China and Hong Kong, it is critical to closely monitor these developments and their potential impacts to an organisation’s business operations. In the case of China specifically and given the potential consequences under the Regulation for violations and the tight time frame for compliance, businesses that host websites, forums, social media sites, etc. in China should take immediate actions—including developing or revisiting their website monitoring practices and content take down policies, or using third-party website monitoring services—to ensure compliance with the Regulation.