Legislation on Data Security and Breaches

Legislation on Data Security and Breaches

Legislation on Data Security and Breaches 1200 644 Hugill & Ip
Reading Time: 3 minutes

Carmen Tang discusses current legislation in Hong Kong related to personal data breaches and expected developments – similar to what has already happened in other more sophisticated jurisdictions as EU, Canada and Australia. A new mandatory data breach notification mechanism could happen through an update of the Personal Data (Privacy) Ordinance, which most likely would also introduce related penalties.


00:19 The Privacy Commissioner and data security
01:07 The situation in other jurisdictions
01:37 The importance of a mandatory data breach notification mechanism
02:19 Plans to introduce a notification mechanism
03:11 Definition of personal data breach
03:28 Notification threshold
03:41 Notification timeframe
04:01 Mode of notification
04:37 Penalty


No matter how careful one is, data leakage through cyber-attacks seems inevitable. Human-based errors can often compromise sensitive data.

00:19 The Privacy Commissioner and data security

In Hong Kong, the Personal Data (Privacy) Ordinance requires data users to take all practicable steps to prevent unauthorized or accidental access of personal data.   Unfortunately, there is currently no statutory requirement for data users to notify the office of the Privacy Commissioner or the data subject in case of a data breach.   At present, relevant notification is made on a voluntary basis. That said, the Privacy Commissioner strongly advise data users to submit data breach notification to the Office as a recommended practice for proper handling of such kind of incident.

01:07 The situation in other jurisdictions

You may have heard of European Union’s General Data Protection Regulation which came into effect in May 2018. Under the said Regulation, data users generally must report breaches of personal data within 72 hours of notice of the breach.  Indeed, many jurisdictions other than the European Union – like Canada, Australia – have similar rules.

01:37 The importance of a mandatory data breach notification mechanism

The risks of data breaches have grown immensely since GDPR was introduced in 2018. For example, Yahoo UK arm was fined GBP250,000 over a data breach affecting more than 500 million users; Facebook was fined GBP500,000 regarding the Cambridge Analytica scandal; Google Inc. was the Information Commissioner’s Office in UK announced its intention to issue a fine of GBP183.4 million to the British Airways and a sum of around GBP99 million to Marriott International.

02:19 Plans to introduce a notification mechanism

The Hong Kong Government is formally reviewing and studying possible amendments to the ordinance jointly with the Office of the Privacy Commissioner, aimed at strengthening the protection of personal data in Hong Kong. In late January 2020, the Constitutional and Mainland Affairs Bureau published a paper for discussion at the Legislative Council Panel meeting.

We note that among the six proposed amendments to the Ordinance, the introduction of mandatory data breach notification mechanism is included so that the Privacy Commissioner could monitor the handling of data breaches by organizations concerned. The Bureau considers the following matters should be taken into account when establishing the said mechanism:

  1. (03:11) Definition of personal data breach

It could mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

  1. (03:28) Notification threshold

The Bureau finds that a data breach having “a real risk of significant harm” should be reported by the data user to the Privacy Commissioner and impacted individuals.

  1. (03:41) Notification timeframe

The data user should notify the Privacy Commissioner within a specified timeframe once they become aware of the data breach.  The Bureau believes “as soon as practicable” and, under all circumstances, in not more than five business days is reasonable.

  1. (04:01) Mode of notification

The Bureau is considering allowing data users to make written notification to the Privacy Commissioner by way of email, fax or post. Possible information to be specified in the notification include a description of the data security incident, the cause of the data breach, the type and amount of personal data involved, an assessment of the risk of harm, the remedial action taken by the data user to mitigate the risk of harm and the action that the data subjects should take to protect themselves against the risk of harm.

  1. (04:37) Penalty

It is not specified in the LegCo consultation paper. That said, we suspect the HK Government may consider directly impose administrative fines on data users for failing to notify data breach incident on time. The said fine may link to the annual turnover of the data user, which is similar to the current rules under GDPR.


This video is for informational purposes only. Its contents do not constitute legal or professional advice.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

For performance and security reasons we use Cloudflare
Google Analytics tracking code disabled/enabled
Google Fonts disabled/enabled
Google Maps disabled/enabled
video embeds (e.g. YouTube) disabled/enabled
View our Privacy Policy
We don't eat shark fin but our website does use cookies, mainly for analytics and provision of content from other websites. Define your Privacy Preferences and agree to our use of cookies. Privacy Policy