{"id":140800,"date":"2026-04-24T15:06:18","date_gmt":"2026-04-24T15:06:18","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=140800"},"modified":"2026-04-24T15:06:18","modified_gmt":"2026-04-24T15:06:18","slug":"hong-kong-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/hong-kong-data-protection-cybersecurity\/","title":{"rendered":"Hong Kong: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-140800","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-hong-kong"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Haldanes, Solicitors and Notaries<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2021\/08\/haldanes.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Haldanes, Solicitors and Notaries<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2021\/08\/haldanes.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Hong Kong<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><h4>Data Protection<\/h4>\n<p>Hong Kong\u2019s core data protection law is the Personal Data (Privacy) Ordinance (\u201cPDPO\u201d), which applies to both public and private sector bodies that control the collection, holding, processing or use of personal data, meaning information relating to a living individual from which that person can be identified. However, as confirmed by the Hong Kong Court of Appeal in Eastweek Publisher Ltd v Privacy Commissioner for Personal Data, the PDPO does NOT confer a general right to privacy.<\/p>\n<p>The PDPO is enforced primarily by the Office of the Privacy Commissioner for Personal Data (\u201cPCPD\u201d), which may investigate complaints, issue enforcement notices, and pursue offences where the ordinance is breached.<\/p>\n<h4>Anti-Doxxing<\/h4>\n<p>To expand upon personal data privacy protection, the Personal Data (Privacy) (Amendment) Ordinance 2021 was enacted to create a criminal offence in relation to the act of doxxing, which had become prevalent since the socio-political protests of 2019. Doxxing was granted a legal definition, that being the \u201c[disclosure of] any personal data of a data subject without the relevant consent of the data subject: (i) with an intent to cause any specified harm to the data subject or any family member of the data subject; or (ii) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or to any family member of the data subject.\u201d The PCPD is now empowered to carry out criminal investigations and institute prosecutions, with the additional statutory power to demand the cessation of doxxing contents. These powers extend even to have an extra-territorial effect.<\/p>\n<p>It is particularly noteworthy that multiple criminal prosecutions have already been made and custodial sentences have already been made given for violation of anti-doxxing offences, which stands in stark contrast to the PCPD\u2019s \u201cusual\u201d mode of enforcement against other personal data privacy offences (see para. 36 below)<\/p>\n<h4>Privacy<\/h4>\n<p>Privacy as an independent right is not directly protected under Hong Kong law, since there is no specific legislation or common law principle devoted to safeguarding privacy.<\/p>\n<p>Theoretically, privacy is constitutionally protected under the Basic Law. However, Hong Kong lacks judicial precedents where the Basic Law or any other constitutional instrument has been applied against private entities or individuals. According to a 2004 report by the Law Reform Commission of Hong Kong, both the Basic Law and the Bill of Rights Ordinance provide a cause of action for privacy breaches only against the Government or public authorities. The Commission further noted that the Hong Kong courts have yet to recognize a common law right to privacy that is legally enforceable against private parties. While the Law Reform Commission recommended in 2004 that legislation be introduced to address invasions of privacy, no such law has been enacted to date.<\/p>\n<h4>Cybersecurity<\/h4>\n<p>Hong Kong does not have a single omnibus cybersecurity law applying to all organizations. Instead, cybersecurity obligations are sectoral and activity-based. On 1 January 2026, the Protection of Critical Infrastructure (Computer System) Ordinance (\u2018\u201dPCICSO\u201d) came into effect in Hong Kong, which focuses on protecting critical infrastructure from cyber threats and imposes statutory obligations on critical infrastructure operators. It is designed to enhance resilience and reduce the risk of disruption or compromise of essential services. Enforcement is handled by the designated regulator under the critical infrastructure regime.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>On cybersecurity, the major development is the enactment of the PCISO, the first cybersecurity legislation in Hong Kong, in 2026 (see question 1).<\/p>\n<p>On data protection and privacy, the PDPO remains the core statue (see question 1). There is no sign of a major replacement law this year, however, the PCPD is expected to continue active guidance and enforcement, particularly on breach response, AI governance, and security under Data Protection Principle 4. In 2025, the PCPD also issued and updated practical guidance on generative AI and carried out more compliance checks, showing a clear shift toward stronger governance expectations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The main trend in Hong Kong is a shift from general guidance toward more active enforcement and operational compliance. The PCPD has continued to focus on anti-doxxing, data security, cloud compliance, AI governance, and breach response.<\/p>\n<p>A second priority is AI governance. In 2025, the PCPD issued practical guidance on generative AI and carried out compliance checks across a broader range of organizations.<\/p>\n<p>A third major development is cybersecurity for critical infrastructure. The new PCISCO has turned cybersecurity from a voluntary best-practice issue into a statutory regime for designated operators (see paragraph 1)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no general registration or licensing regimes for entities covered by data protection and cybersecurity laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPO, \u201cpersonal data\u201d means information that relates directly or indirectly to a living individual, from which the identity of that individual is practicably ascertainable, and that is in a form in which access to or processing of it is practicable. In plain terms, it covers data that can identify a person, either by itself or when combined with other information, such as names, Hong Kong ID numbers, phone numbers, email addresses, photos, voice recordings, and similar identifiers, as long as the data is usable in practice. The definition is broad enough to include information about any living individual.<\/p>\n<p>However, exemptions exist for specific uses, as listed in Part 8 of the PDPO, which include the following:<\/p>\n<ul>\n<li>Judicial functions and legal proceedings: section 51A, 60B<\/li>\n<li>Household\/recreational data: section 52<\/li>\n<li>Employment purposes: sections 53-56<\/li>\n<li>National security. Crime prevention\/detection, communications interception and surveillance: section 57-58A<\/li>\n<li>Health: section 59<\/li>\n<li>Care and guardianship of minors: section 59A<\/li>\n<li>Legal professional privileges: section 60<\/li>\n<li>Self-incrimination: section 60A<\/li>\n<li>News, Statistics, Research, Due Diligence: sections 61, 62, 63B<\/li>\n<li>Human embryos: section 63A<\/li>\n<li>Transfer of records to Government Records Service: section 63D<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not statutorily define or recognize &#8220;special categories of personal data,&#8221; &#8220;sensitive data,&#8221; or &#8220;sensitive personal information&#8221; as distinct, highly regulated subsets of personal data. All personal data receives baseline protection under the six Data Protection Principles (DPPs), regardless of sensitivity.<\/p>\n<p>However, the PCPD issues non-binding guidance and Codes of Practice recommending heightened safeguards for certain data types treated as more sensitive in practice.\u202fExamples include:<\/p>\n<ul>\n<li>Hong Kong identity card numbers and personal identifiers.<\/li>\n<li>Biometric data (e.g., fingerprints, facial recognition).<\/li>\n<li>Consumer credit data.<\/li>\n<li>Children&#8217;s data.<\/li>\n<\/ul>\n<p>These types of data warrant enhanced due diligence, consent where feasible, and proportionality under DPPs<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO requires that the data user (defined under the PDPO as an entity who, either alone or jointly or in common with other entities, controls the collection, holding, processing or use of the data) must enter into a contractual relationship with the data processor, requiring the data processor to observe all relevant aspects of the PDPO in the processing of the personal data by the data processor for and on behalf of the data user. In essence, a data user is liable for breaches of data processors it engages.<\/p>\n<p>In particular, data users should comply with the six Data Protection Principles (\u2018DPPs\u2019) set out in the PDPO:<\/p>\n<ul>\n<li>DPP1 provides that personal data should be collected in a lawful and fair way for a purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate and not excessive for the purpose.<\/li>\n<li>DPP2 requires that the personal data collected must be accurate and not kept longer than necessary.<\/li>\n<li>DPP3 requires the data to be used only for the purpose for which it was collected or a directly related purpose, unless the data subject has given express voluntary consent.<\/li>\n<li>DPP4 requires data users to take all practicable steps to protect the personal data they hold against unauthorized or accidental access, processing, erasure, loss or use having particularly regard to:\n<ul>\n<li>(a) the kind of data,<\/li>\n<li>(b) the physical location of storage of the data,<\/li>\n<li>(c) security measures incorporated into any equipment of storage of the data, and<\/li>\n<li>(d) any measures taken for ensuring the integrity, prudence and competence of persons having access to the data and any measures taken for ensuring the secure transmission of the data<\/li>\n<\/ul>\n<\/li>\n<li>DPP5 requires that all practicable steps be taken to ensure that a person can ascertain a data user\u2019s policies and practices in relation to personal data.<\/li>\n<li>DPP6 gives data subjects the right to request access to and correction of their personal data if inaccurate<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPO, consent\u2014specifically &#8220;prescribed consent&#8221; (meaning consenting that is expressly and voluntarily given and not withdrawn) \u2014 is required under DPP3 for using personal data for new purposes not directly related to the original collection purpose, such as disclosure to third parties or direct marketing.<\/p>\n<p>For direct marketing purposes, The PDPO provides that a data user must obtain a data subject\u2019s explicit prior consent in order to use their personal data for direct marketing. If the consent has been given orally, the data user has 14 days from receiving the oral consent to send a written confirmation to the data subject confirming the date of the receipt of the oral consent, the permitted kind of personal data and the permitted class of marketing subjects and it is required that the use to be made by the data user must be consistent with the consent of the data subject.<\/p>\n<p>Where the consent or written consent of the data subject is required for processing, it can be given by way of:<\/p>\n<ul>\n<li>a general blanket consent by the data subject to the data user to the use of or the transfer of their personal data in respect of all kinds of personal data or all classes of marketing subjects as specified in the consent; or<\/li>\n<li>an express selection of a choice by the data subject to provide consent to some or all in the categories of: (i) the kinds of personal data held by the data user; (ii) the classes of the full range of marketing subjects offered by the data user; and (iii) the intended class of transferees for use of the personal data in direct marketing.<\/li>\n<\/ul>\n<p>Silence does not constitute consent, though a data subject can refuse to give any consent.<\/p>\n<p>DPP3 also states that the guardian\/parent of a minor can give the consent required for the purpose of use of a minor\u2019s personal data for a new purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>PDPO does not statutorily define or recognize &#8220;special categories of personal data,&#8221; &#8220;sensitive data,&#8221; or &#8220;sensitive personal information&#8221; as distinct, highly regulated subsets of personal data. All personal data receives baseline protection under the six DPPs, regardless of sensitivity.<\/p>\n<p>However, the PCPD issues non-binding guidance and Codes of Practice recommending heightened safeguards for certain data types treated as more sensitive in practice. Examples include: Hong Kong identity card numbers and personal identifiers, biometric data (e.g., fingerprints, facial recognition). consumer credit data, and children&#8217;s data. In practice therefore, some types of data are considered sensitive and thus subject to a further degree of protection under the PDPO.<\/p>\n<p>The guidance and practice guidelines by the PCPD for such types of personal data contain the following:-<\/p>\n<ul>\n<li>Risk assessment: Evaluate volume, sensitivity, and potential harm before collection; use &#8220;privacy impact assessments&#8221; for high-risk processing like biometrics.<\/li>\n<li>Minimize collection: Collect only what&#8217;s necessary; justify biometric or ID use with less intrusive alternatives (e.g., PINs over fingerprints).<\/li>\n<li>Stronger security: Apply encryption, access controls (&#8220;need-to-know&#8221; basis), employee training, and regular audits; store sensitive data separately with multi-factor authentication.<\/li>\n<li>Explicit consent and notice: Provide clear Personal Information Collection Statements (PICS); obtain informed, freely given consent where feasible, especially for biometrics.<\/li>\n<li>Retention limits: Delete or anonymize once purpose ends; shorter periods for sensitive types to reduce breach impact.<\/li>\n<li>Incident response: Develop plans for breaches involving sensitive data, including prompt notification to PCPD and affected individuals<\/li>\n<\/ul>\n<p>(Examples of such guidances and Codes of Practice include:<\/p>\n<ul>\n<li>Guidance on Collection and Use of Biometric Data (August 2020) &#8211; LINK<\/li>\n<li>Code of Practice on the Identity Card Number and Other Personal Identifiers (April 2016) &#8211; LINK<\/li>\n<li>Code of Practice on Consumer Credit Data (January 2013) &#8211; LINK<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not create a broad, general \u201cchildren\u2019s data\u201d regime. In law, children\u2019s data is treated the same as other data. Some provisions that are specific to children\u2019s\/minor\u2019s (defined as any one below the age of 18) data are:-<\/p>\n<p>&#8211; where prescribed consent is required under DPP3 from a minor, a person with parental responsibility may give that consent on the minor\u2019s behalf in appropriate circumstances;<\/p>\n<p>&#8211; Certain statutory exemptions may apply in care-and-guardianship situations. For example, disclosure to a minor\u2019s parent or guardian by law-enforcement bodies can be exempt where it is in the minor\u2019s interest and facilitates proper care and guardianship.<\/p>\n<p>The PCPD however published a non-binding Collection and Use of Personal Data through the Internet \u2013 Points to Note for Data Users Targeting at Children (December 2015) &#8211; LINK where children are identified as a \u201cvulnerable group who have special requirements in privacy protection\u201d and put forth \u201cbest practice tips\u201d for data uses targeting at children, one of which is to refrain (instead of just limit) collection of children\u2019s data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Privacy risk or impact assessments are not legally required under the PDPO.<\/p>\n<p>In Hong Kong, privacy impact assessments are recommended, but generally not mandated by the PDPO itself for private-sector processing; however, they are commonly expected as a good-practice tool, and the government requires them for certain public-sector or government IT projects at the design stage and before significant updates.<\/p>\n<p>In the PCPD\u2019s information sheet on privacy impact assessments (published December 2015), a PIA process would be structured around 4 steps: data-processing-cycle analysis, privacy-risk analysis, mitigation recommendations, and a written PIA report.<\/p>\n<p>(The Privacy Impact Assessment (PIA) leaflet is available here: LINK)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO is supplemented by various Codes of Practice issued by the PCPD. These are non-binding guidelines interpreting the DPPs, but breaching one creates a rebuttable presumption of PDPO non-compliance in enforcement proceedings. There are also industry\/activity specific guides, such as targeting Small and Medium Enterprises, Corporate Governance, and Electioneering. Examples include:<\/p>\n<ul>\n<li><strong>Code of Practice on Human Resource Management:<\/strong> Covers recruitment, employment records, monitoring, and termination; emphasizes necessity for data like performance reviews.<\/li>\n<li><strong>Code of Practice on Consumer Credit Data:<\/strong> Regulates credit reference agencies and data users; sets rules for accuracy, retention (e.g., 5 years max), and disclosure limits.<\/li>\n<li><strong>Code of Practice on the Identity Card Number and Other Personal Identifiers:<\/strong> Restricts collection\/use of HKID numbers to statutory\/legal needs; mandates alternatives where possible.<\/li>\n<\/ul>\n<p>(Links to the code of practices are available as follows:<\/p>\n<ul>\n<li>Code of Practice on Human Resource Management (April 2016) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/data_privacy_law\/code_of_practices\/files\/PCPD_HR_Booklet_Eng_AW07_Web.pdf\">LINK<\/a><\/li>\n<li>Code of Practice on the Identity Card Number and Other Personal Identifiers (April 2016) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/data_privacy_law\/code_of_practices\/files\/picode_en.pdf\">LINK<\/a><\/li>\n<li>Code of Practice on Consumer Credit Data (January 2013) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/data_privacy_law\/code_of_practices\/files\/CCDCode_2013_e.pdf\">LINK<\/a><\/li>\n<\/ul>\n<p>An index to guidance notes and reports published by the PCPD is also available here: <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/guidance\/guidance.html\">LINK <\/a><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not impose a general statutory requirement on organisations to maintain records of data processing activities, internal registers, or written documentation akin to GDPR Article 30. However, there are some limited record-keeping obligations:<\/p>\n<ul>\n<li>Section 27 log books: Data users must maintain locked registers logging refusals of data access\/correction requests (one for public enquiries\/complaints, another for all other records).<\/li>\n<li>Section 26 erasure compliance: While not record-keeping per se, data users must take practicable steps to erase unnecessary data, with potential evidentiary needs during complaints\/enforcement.<\/li>\n<li>Direct marketing records: when data is collected and processed for direct marketing purposes, Part 6A of the PDPO requires documenting prescribed consent and opt-out<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO imposes data retention limitations through DPP2 and section 26.<\/p>\n<p>Under DPP2: Data users must take all practicable steps to ensure personal data is accurate and not kept longer than necessary to fulfil the purpose(s) for which it was collected (or directly related purposes, or new purposes with prescribed consent)<\/p>\n<p>Section 26: Data users must erase personal data no longer required for its purpose(s), unless (i) Erasure is prohibited by law (e.g., statutory retention like tax records). (ii) Erasure is against the public interest (e.g., historical\/archival value).<\/p>\n<p>Note that there is no statutory minimum period described; data retention must be purpose-driven and justifiable<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no general requirements to consult with the PCPD, but it is advisable to consult with the PCPD if organisations are unsure about their personal data privacy practice.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not require organisations to generally appoint a data protection officer (DPO), chief information security officer, or any other specific person responsible for data protection compliance.<\/p>\n<p>PCPD strongly encourages (but does not mandate) appointing a senior individual\u2014often called a DPO or privacy officer\u2014to oversee a voluntary Privacy Management Programme (PMP). In the PCPD\u2019s PMP Best Practice Guide, recommendations include 3 components:<\/p>\n<ul>\n<li>Organizational commitment: creating an internal governance structure to ensure the policies and procedures on personal data protection are being followed<\/li>\n<li>Programme Controls measures that constitute a PMP: creating and maintaining a personal data inventory, risk assessment tools and privacy impact assessments, training and education for employees, coordinating data breach responses and investigations, reporting mechanisms to senior management<\/li>\n<li>Ongoing Assessment and Revision: Development of an oversight and review plan<\/li>\n<\/ul>\n<p>(The Privacy Management Programme \u2013 A Best Practice Guide (March 2019) is available here: <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/PMP_guide_e.pdf\">LINK<\/a>)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not legally require employee training on data protection; but the PCPD strongly recommends training in some of its practice guides. For example:<\/p>\n<ul>\n<li>PMP Best Practice Guide (see Q17 above)<\/li>\n<li>Privacy Guidelines: Monitoring and Personal Data Privacy at Work (see paragraph 3.3)<\/li>\n<\/ul>\n<p>(Links to the aforementioned guides are below:<\/p>\n<ul>\n<li>Privacy Management Programme \u2013 A Best Practice Guide (March 2019) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/PMP_guide_e.pdf\">LINK<\/a><\/li>\n<li>Privacy Guidelines: Monitoring and Personal Data Privacy at Work (April 2016) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/data_privacy_law\/code_of_practices\/files\/Monitoring_and_Personal_Data_Privacy_At_Work_revis_Eng.pdf\">LINK<\/a><\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO requires data users (controllers) to provide notice to data subjects via a\u202fPersonal Information Collection Statement (PICS)\u202funder\u202fDPP1(3).<\/p>\n<p>Under DPP1(3), data users must take\u202fall practicable steps\u2014before\u202for\u202fat the time\u202fof collecting personal data directly from the data subject\u2014to inform them of:<\/p>\n<ul>\n<li>Whether supplying the data is\u202fvoluntary or obligatory\u202f(and consequences of non-supply, if obligatory).<\/li>\n<li>The\u202fpurpose(s)\u202ffor which the data will be used.<\/li>\n<li>The\u202fclasses of transferees\u202f(persons\/organizations to whom data may be transferred).<\/li>\n<\/ul>\n<p>Additionally,\u202fbefore first use\u202fof the data, the data subject should be informed of:<\/p>\n<ul>\n<li>The data subject&#8217;s\u202fright to request access\/correction.<\/li>\n<li>Contact details (name\/job title\/address) of the individual handling such requests.<\/li>\n<\/ul>\n<p>In the PCPD\u2019s Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement, a PICS should be provided to a data subject by a data user on or before collecting personal data directly from that data subject. However, no PIC may be needed if:<\/p>\n<ul>\n<li>The personal data is collected from\u202fthird parties\u202f(but DPP3 consent required for new uses).<\/li>\n<li>publicly available.<\/li>\n<li>exempt (e.g., crime prevention, legal proceedings).<\/li>\n<\/ul>\n<p>(The Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement (July 2013) is available here: <a href=\"https:\/\/www.pcpd.org.hk\/english\/publications\/files\/GN_picspps_e.pdf\">LINK<\/a>)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong does not adopt or use the term \u201ccontroller\u201d \u2013 rather it uses the term \u201cdata user\u201d, which is its equivalent.<\/p>\n<p>Per the statutory definitions in section 2 of the PDPO:-<\/p>\n<ul>\n<li>A data user is defined as \u201cA person who, either alone or jointly or in common with other persons,<strong>\u202fcontrols the collection, holding, processing or use\u202fof the data\u201d;<\/strong><\/li>\n<li>A data processor is defined as \u201cA person who\u202fprocesses personal data on behalf of\u202fanother person (a data user),\u202f<strong>instead of for his\/her own purpose(s).\u201d<\/strong><\/li>\n<\/ul>\n<p>Another way in distinguishing between the two entities is that: Data users determine\u202f<strong>purposes\/means of the collection of data<\/strong>\u202f(e.g., company collecting customer data); processors execute tasks (e.g., cloud provider storing it).<\/p>\n<p>Data Users are directly bound by all of the Data Protection Principles, and can be vicariously liable\u202ffor data processors&#8217; breaches of the PDPO under section 65. Therefore, data users often use contractual means to ensure that data processors comply with the Data Protection Principles. Ultimately however, it is the data users who bear ultimate compliance\/accountability burden.<\/p>\n<p>Data Processors are not directly regulated by the PDPO, and there are no statutory obligations to bind processors independently. However, where data processors have signed a contract with a data user to process data, they must follow data user&#8217;s instructions via contract to avoid becoming a &#8220;data user&#8221; by controlling\/using data for own purposes<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO imposes no specific statutory bans on monitoring, automated decision-making (ADM), or profiling. Restrictions arise indirectly via the DPPs, with PCPD non-binding guidance (e.g., Guidance on the Ethical Development and Use of Artificial Intelligence (August 2021), Artificial Intelligence: Model Personal Data Protection Framework (June 2024)) recommending safeguards, with human involvement being one of the key principles.<\/p>\n<p>As to cookies, there is no cookie-specific rule or consent mandate: if cookies collect personal data, it must comply with DPP1 (on or before collecting personal data, a data user must inform the data subject of the purpose of collection, the classes of persons to whom the data may be transferred, and their rights to access\/correct data) and DPP3 (collection of personal data is limited to the original purposes or prescribed consent, any new purposes requires new consent from a data subject)<\/p>\n<p>(Links to the aforementioned guidance is available here:<\/p>\n<ul>\n<li>Guidance on the Ethical Development and Use of Artificial Intelligence (August 2021) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/guidance_ethical_e.pdf\">LINK<\/a><\/li>\n<li>Artificial Intelligence: Model Personal Data Protection Framework (June 2024) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/ai_protection_framework.pdf\">LINK<\/a><\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific regulation of tracking technologies from a privacy or data privacy perspective, nor are there statutory definitions for the terms mentioned in this question.<\/p>\n<p>However, for tracking technologies such as cookies and pixels, if personal data is collected, then it is necessary for such to comply with:-<\/p>\n<ul>\n<li>DPP1: PICS notice on collection purpose\/classes of transferees.<\/li>\n<li>DPP3: Use limited to original purpose or prescribed consent for new uses (e.g., ad targeting).<\/li>\n<li>DPP4: data users should take all practicable steps to protect personal data from unauthorized or accidental access, processing, erasure, loss, or use<\/li>\n<\/ul>\n<p>Additionally, for cookies, the PCPD\u2019s guidelines on Online Behaviourial Tracking (April 2014) &#8211; <a href=\"https:\/\/www.pcpd.org.hk\/english\/publications\/files\/online_tracking_e.pdf\">LINK<\/a> recommend that cookie users: (i) pre-set a reasonable expiry date for cookies, (ii) to encrypt the contents of the cookies, and (iii) not to deploy techniques such as Flash\/zombie\/super cookies that ignore browser settings on cookies unless organisations can offer an option to website users to disable or reject such cookies<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong data protection laws do not specifically regulate or restrict the &#8220;sale&#8221; of personal data. Sale of personal data is possible so long as the provisions of the PDPO (in particular the DPPs) are compiled with.<\/p>\n<p>There is no standalone concept of &#8220;data brokers&#8221; under the PDPO.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong regulates direct marketing and electronic communications through\u202fPart 6A of the PDPO for\u202fpersonal data-based\u202fmarketing, and the\u202fUnsolicited Electronic Messages Ordinance (UEMO, Cap. 593)\u202ffor commercial electronic messages.<\/p>\n<p>PDPO (Part 6A): Applies when using\u202fpersonal data\u202f(e.g., named individual&#8217;s email\/phone) for offers\/solicitations.<\/p>\n<ul>\n<li>Before using personal data for direct marketing, a data user must obtain the explicit consent (opt-in) of the data subject. This requires the data user to inform the data subject that they intend to use their data for marketing and that they cannot do so without consent<\/li>\n<li>When notifying a data subject to use their data, the data user must provide &#8220;prescribed information,&#8221; which includes:\u202f(i) An intention to use\/transfer the data for direct marketing, (ii) The kinds of data to be used\/transferred, (iii) The classes of goods\/services to be marketed, (iv) If transferring data, the classes of persons to whom the data will be provided<\/li>\n<li>Data Subject\u2019s rights: Data subjects have the right to request that their data not be used for direct marketing at any time. Data users must honor requests for opting out or stopping the use of data in a professional and timely manner.<\/li>\n<li>Data User\u2019s Obligations: They must not use or transfer personal data for direct marketing if they have not complied with these requirements<\/li>\n<li>However, the provisions under Part 6A do not apply to direct marketing that is not directed at &#8220;specified persons&#8221; (i.e., not addressed to a specific person by name).<\/li>\n<\/ul>\n<p>UEMO: Covers\u202fnon-personalized\u202fspam (e.g., bulk SMS\/email\/fax\/pre-recorded calls). The following part(s) are relevant from a data protection perspective:-<\/p>\n<ul>\n<li>Under Part 2 of UEMO, senders of commercial electronic message shall: (i) not hide the calling line identification when sending messages; (ii) not send out email messages with misleading subjects; (iii) identify oneself and provide contact information; (iv) offer a way for recipients to unsubscribe from receiving further messages and honour such requests within ten (10) working days; and (v) not send commercial electronic messages to electronic addresses registered in the do-not-call registers unless consents have been given by the recipients to receive those messages.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not specifically regulate or restrict biometric data processing, including facial recognition, as a distinct category with unique statutory obligations. Biometric data is treated as personal data under the DPPs if it relates to a living individual whose identity is reasonably identifiable, with heightened sensitivity expectations via PCPD non-binding guidance.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong lacks specific data protection laws dedicated to artificial intelligence (AI) or machine learning. The PDPO applies in a technology-neutral manner whenever AI processing involves personal data, through its six Data Protection Principles (DPPs) on collection, accuracy, use, security, openness, and access rights.<\/p>\n<p>However, the PCPD issued the Artificial Intelligence: Model Personal Data Protection Framework in 2024, providing voluntary, risk-based recommendations specifically for AI systems handling personal data. Key elements include:<\/p>\n<ul>\n<li>Governance: Establish AI oversight committees; conduct AI-specific Privacy Impact Assessments (PIAs) for high-risk systems.<\/li>\n<li>DPP alignment: Ensure data minimization (DPP1), purpose limitation (DPP3), robust security (DPP4), and transparency (e.g., explain AI decisions).<\/li>\n<li>High-risk AI: Enhanced scrutiny for profiling, automated decisions, or generative AI using personal data training sets.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong has no data localization requirements under PDPO or any other data protection law. There are no legal requirements that personal data must be stored locally.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no restrictions imposed by statute on data transfer. Section 33 of the PDPO, which prohibits transfer of personal data to places outside Hong Kong except in specified circumstances, has never been brought into effect. There is also no immediate plan for the government to implement Section 33 of the PDPO.<\/p>\n<p>However, if a data transfer abroad constitutes a new purpose, then consent from the data under DPP3 will be required.<\/p>\n<p>The PCPD also offers a set of recommended model contractual clauses for companies to use in relation to cross-border transfer of personal data for two different scenarios of transfers: (i) from data user to data user, and (ii) from data user to data processor. Furthermore, the PCPD recommends that a transferor of data should have effective data transfer arrangements, control activities that involved unintended or unnecessary cross-border data flow, and keep an inventory of transferred personal data. The recommendations are however non-binding.<\/p>\n<p>(The Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data (May 2022) is available here: <a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/guidance_model_contractual_clauses.pdf\">LINK<\/a>)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO imposes data security obligations primarily through DPP4, which requires data users to take\u202fall practicable steps\u202fto protect personal data against unauthorized or accidental access, processing, erasure, loss, or use. Data users must consider:<\/p>\n<ul>\n<li>Kind and nature of data stored\u202f(e.g., heightened protections for sensitive data like biometrics).<\/li>\n<li>Potential harm from compromise\u202f(financial loss, identity theft).<\/li>\n<li>Measures ensuring integrity, prudence, and competence\u202fof authorized persons (e.g., staff training, access controls).<\/li>\n<\/ul>\n<p>Specific obligations include:<\/p>\n<ul>\n<li>Physical\/technical safeguards: Encryption, firewalls, access logs, secure storage\/deletion, regular audits.<\/li>\n<li>Processor accountability: Data users must use\u202fcontractual or other means\u202fto ensure data processors observe equivalent DPP4 standards.<\/li>\n<li>Incident response: While not statutorily mandated, PCPD expects notification for serious breaches via complaints\/enforcement process.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As the PDPO does not have specific categorization for &#8220;sensitive data&#8221; or &#8220;special categories of personal data&#8221;, there are no specific security obligations for them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not impose general mandatory obligations for security breaches involving personal data, such as notification to regulators, data subjects, or law enforcement.<\/p>\n<p>The PCPD recommends\u202fvoluntary notification\u202fvia its\u202fGuidance Note for Data Breach Handling and Data Breach Notifications\u202f(<a href=\"https:\/\/www.pcpd.org.hk\/english\/resources_centre\/publications\/files\/guidance_note_dbn_e.pdf\">LINK<\/a>) when a breach creates a\u202f&#8221;real risk of harm&#8221;\u202fto affected individuals (e.g., identity theft, financial loss, discrimination). This is part of its recommendation \u201cdata breach response plan\u201d which contains the following steps:<\/p>\n<ul>\n<li>Step 1: Immediate gathering of essential information<\/li>\n<li>Step 2: Containing the data breach<\/li>\n<li>Step 3: Assessing the risk of harm<\/li>\n<li>Step 4: Considering giving data breach notifications<\/li>\n<li>Step 5: Documenting the breach<\/li>\n<\/ul>\n<p>The notification requirement lies in Step 4, in which the PCPD recommends a data to notify and affected data subjects \u201cas soon as practicable after becoming aware of the data breach\u201d.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO gives individuals a clear access right and correction\/deletion framework for their personal data.<\/p>\n<p>Under DPP6 and section 18, an individual may ask a data user whether it holds their personal data and, if so, request a copy of that data. The request is usually made in writing and the data user must respond within the statutory time limit, subject to permitted extensions and limited exemptions<\/p>\n<p>Under section 22, an individual may make a request to correct their personal data, and data users must comply with such a request no later than 40 calendar days after receiving it, or Data users can refuse a correction request if they have reasonable grounds to believe the data is already accurate or if the requestor fails to provide necessary proof of inaccuracy. If a correction request is refused, the refusal and the reasons must be documented.<\/p>\n<p>There is\u202fno general statutory right\u202ffor a person to demand deletion of personal data simply because they want it erased (i.e. no \u201cright to be forgotten\u201d under Hong Kong law). Instead, the PDPO requires data users to keep personal data no longer than necessary and, under section 26, to erase personal data when it is no longer required for the purpose for which it was used, unless erasure is prohibited by law or contrary to the public interest.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPO does not establish a direct private right of action for violations. However, violations do trigger administrative enforcement led by the PCPD.<\/p>\n<p>For PDPO-related damages, individuals may pursue common law remedies, including:<\/p>\n<ul>\n<li>Tort for breach of confidence: on violation of the \u201creasonable expectation of privacy (developed from Mosley v Group Newspapers Ltd [2008] EWHC 1777 (QB))<\/li>\n<li>Doxxing: Doxxing victims in Hong Kong can claim compensation via civil action from data users for damage caused by a conviction under Section 64 of the PDPO.<\/li>\n<li>Negligence: Data breaches causing financial loss\/distress, although following the English case of Warren v DSG Retail Ltd [2021] EWHC 2168 (QB), the existence of damages has to be proven<\/li>\n<\/ul>\n<p>Under Order 15, Rule 12 of the Rules of High Court (Cap. 4A of the Laws of Hong Kong), where numerous persons have the same interest in any proceedings, proceedings can be initiated or continued by any one or more of them as representing all or as representing all except one or more of them.<\/p>\n<p>Further, section 66 of the PDPO empowers individuals who suffer damage caused by others\u2019 contravention of the PDPO to seek compensation. Please see paragraph 34 below.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals can claim monetary damages or compensation under section 66 of the PDPO for damage suffered due to a data user&#8217;s contravention of the PDPO, including breaches of DPPs. Section 66(2) explicitly states that &#8220;damage&#8221; includes injury to feelings, so non-material harm (emotional distress, anxiety) is sufficient without requiring actual financial loss.<\/p>\n<p>For example, in Tsang Po Mann v. Tsang Ka Ki [2021] 1 HKLRD 1301, [2021] HKDC 208, the Hong Kong Court awarded damages to a victim involved in a defamation claim brought by a third party with respect to certain statements by the Defendants (the Plaintiff\u2019s neighbours) in a letter to the Plaintiff\u2019s colleagues\/supervisors, which included photographs captured from the Defendant\u2019s CCTV cameras. Although the Plaintiff lost the defamation claim, the Court ruled that the CCTV cameras by the Defendants were installed for the Defendant\u2019s home security, and thus publication of the photographs was use of collected personal data for a new purpose, for which consent should have been obtained, but not so. Accounting for the injury to the Plaintiff\u2019s feelings and extent of misuse of the CCTV footage, the court granted HK$70,000 in damages to the Plaintiff.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong&#8217;s data protection laws are primarily enforced through the Office of the Privacy Commissioner for Personal Data (\u201cPCPD\u201d), an independent statutory body established under the PDPO, which holds sole enforcement authority.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The following table shows the range of sanctions available for violation of the PDPO provisions. It should be noted that while the PCPD can issue orders for enforcement, it is the courts of Hong Kong that determine and issue fines.<\/p>\n<table style=\"font-weight: 400\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\">\n<tbody>\n<tr>\n<td data-celllook=\"69905\"><b><span data-contrast=\"auto\">Offence<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"auto\">Maximum Penalty (First Conviction)<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"auto\">Subsequent\/Repeated Offences<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><b><span data-contrast=\"auto\">Non-compliance with enforcement notice<\/span><\/b><span data-contrast=\"auto\">\u00a0(section 50A)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$50,000 fine + 2\u00a0years\u00a0imprisonment + HK$1,000 daily fine<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$100,000 fine + 2\u00a0years\u00a0imprisonment + HK$2,000 daily fine<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><b><span data-contrast=\"auto\">Direct marketing without prescribed consent<\/span><\/b><span data-contrast=\"auto\">\u00a0(Part 6A)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$500,000-1,000,000 fine + 3-5 years imprisonment<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">Same<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><b><span data-contrast=\"auto\">Doxxing<\/span><\/b><span data-contrast=\"auto\">\u00a0(sections 64, 66K)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$1,000,000 fine + 5\u00a0years\u00a0imprisonment (if harm caused)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">Same<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><b><span data-contrast=\"auto\">Obstructing PCPD investigation<\/span><\/b><span data-contrast=\"auto\">\u00a0(section 66I)<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$10,000 fine + 6 months imprisonment<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">N\/A<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td data-celllook=\"4369\"><b><span data-contrast=\"auto\">False statements to PCPD<\/span><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">HK$100,000 fine (summary) \/ HK$1,000,000 (indictment) + 6 months-2 years<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<td data-celllook=\"4369\"><span data-contrast=\"auto\">N\/A<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>It should however be noted that, except for anti-doxxing offences, criminal prosecution\/issuing of fines is NOT the PCPD\u2019s first course of action. The PCPD would normally first conduct investigations against suspected contraventions of the PDPO. If contraventions are found, the PCPD would first issue advisory notice\/warnings against the offenders and recommend changes\/remedial measures. Criminal prosecutions are normally only considered if the offenders ignore the PCPD\u2019s notices\/warnings; refuse to make changes; or repeatedly offend after receipt of notices. In practice, criminal enforcement is uncommon.<\/p>\n<p>(An overview of the PCPD\u2019s complaint handling chart (published December 2009) is available here: <a href=\"https:\/\/www.pcpd.org.hk\/tc_chi\/publications\/files\/chart.pdf\">LINK<\/a>)<\/p>\n<p>Further, as mentioned in section 33 above, the court can also award damages based on actual losses and distress as a civil compensation paid by the violating data user.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Parties who wish to appeal may issue a challenge against the PCPD before the Administrative Appeals Board, an independent statutory body established under the Administrative Appeals Board Ordinance (Cap. 442 of the Laws of Hong Kong). The Administrative Appeals Board has the power to confirm, vary, reverse, or substitute decisions made by the PCPD. The following is a list of appealable decisions by the PCPD:<\/p>\n<ul>\n<li>Refusal to investigate complaint or termination of investigation of an act that may be a contravention of the PDPO: under section 39(4) PDPO<\/li>\n<li>No enforcement notice issued to the relevant data user(s) based on the investigations concerned: under section 47(4) PDPO<\/li>\n<li>Appeal against the enforcement notice served on the relevant data user(s) based on the investigations concerned: under section 50(7) PDPO<\/li>\n<\/ul>\n<p>For appeals under sections 39(4) and 47(4) of the PDPO, complainants have 28 days from the relevant notices by the PCPD to issue an appeal; for appeals under section 50(7) of the PDPO, data users have 14 days from the service of the enforcement notice to appeal.<\/p>\n<p>However, decisions by the PCPD or the Administrative Appeals Board can be applied to the High Court for judicial review. See for example, Eastweek Publisher Ltd &amp; Anor v Privacy Commissioner for Personal Data [2000] 1 HKC 692, in which the respondent Eastweek Publisher Ltd first applied to the Court of First Instance in a finding by the PCPD that there was a breach of DDP1 based on the taking and publishing of photographs without the complainant\u2019s consent. After dismissal by the Court of First Instance, Eastweek appealed at the Court of Appeal.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong now has a specific cybersecurity law that requires implementation of concrete cybersecurity risk management measures, but it does not apply to all organizations. The main law is Protection of Critical Infrastructures (Computer Systems) Ordinance (\u201c<strong>PCICSO<\/strong>\u201d), which came into force on 1 January 2026.<\/p>\n<p>The law applies to organizations designated as critical infrastructure operators, and only in relation to their designated critical computer systems. They covered 8 sectors including energy, information technology, banking and financial services, air transport, land transport, maritime transport, health services, and telecommunications and broadcasting services. It can also cover other infrastructure if its disruption or data leakage could significantly affect Hong Kong\u2019s societal or economic activities.<\/p>\n<p>The law imposes three groups of duties. First, organizational duties, such as maintaining a Hong Kong office and setting up a computer-system security management unit. Second, preventive duties, such as submitting and implementing a security management plan, conducting risk assessments, carrying out security audits, and notifying material system changes. Third, incident response duties, such as participating in drills, maintaining an emergency response plan, and notifying incidents. There are also sector-specific arrangements for banking and financial services and for telecommunications and broadcasting, because the Monetary Authority and Communications Authority have regulatory roles under the PCICSO.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. the PCICSO imposes formal cybersecurity audit requirements on designated Critical Infrastructures operators (<strong>\u201cCI operator\u201d<\/strong>). A CI operator must arrange a computer-system security audit within 24 months after designation and then at least once every 24 months thereafter. The audit must be carried out by an independent auditor, and the operator must submit an audit report to the regulating authority within the prescribed period. Cap. 653 also separately requires annual computer-system security risk assessments.<\/p>\n<p>Hong Kong law does not currently impose a general mandatory cybersecurity certification requirement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Hong Kong law imposes vendor and supply chain management requirements on designated CI operators under the PCICSO. The statutory basis is section 23 read with Schedule 3, which requires the security management plan to address supplier-related contracts and communications. The detailed requirements are set out in section 6.2.25 of the Code of Practice Pursuant to the Protection of Critical Infrastructures (Computer Systems) Ordinance on 1 January 2026 (\u201cCode of Practice\u201d) issued by the Office of the Commissioner of Critical Infrastructure (Computer-system Security) Security Bureau (\u201cOCCICS\u201d). These include defined security requirements for suppliers, supply chain risk management processes, contractual controls, audit and monitoring rights, confidentiality obligations, and exit requirements for sensitive data.<\/p>\n<p>Cloud providers and outsourced service providers are also covered where their services relate to critical computer systems. The Code of Practice states that external cloud services for critical computer systems should be treated as part of the supply chain. It also requires the CI operator to define shared security responsibilities with cloud service suppliers. Section 13(1) under Cap 653 allows a regulating authority to designate a computer system as a critical computer system even if the system is not under the control of the operator, provided it is accessible by the operator in or from Hong Kong and is essential to the core function of the critical infrastructure.<\/p>\n<p>(The Code of Practice is available here: <a href=\"https:\/\/www.occics.gov.hk\/filemanager\/en\/content_19\/CoP_en_v1.0.pdf\">LINK<\/a>)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Hong Kong law requires designated CI operators to establish and maintain a computer-system security management unit and to appoint an employee with adequate professional knowledge in cybersecurity to supervise that unit. The Code of Practice gives practical guidance on this requirement. It states that adequate professional knowledge generally means appropriate professional qualifications, such as CISP, CISA, CISM or CISSP, together with professional experience commensurate with the risks of the operator\u2019s critical computer systems.<\/p>\n<p>There are formal appointment formalities. Under section 21 of the PCICSO, the CI operator must notify the regulating authority of the appointment of the employee supervising the computer-system security management unit and must also notify any change in that appointment within the prescribed period and in the specified form and manner.<\/p>\n<p>However, it does not expressly require board approval for the appointment itself, although the cybersecurity management plan must be endorsed by the board, a delegated board committee, or relevant senior management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Hong Kong law imposes mandatory cybersecurity incident reporting obligations on designated CI operators under Cap. 653. Section 2 defines a computer-system security incident as an event involving unauthorized access or another unauthorized act on or through a critical computer system, with an actual adverse effect on that system\u2019s security.<\/p>\n<p>Under section 28 and Schedule 6, A CI operator must notify the OCCICS within\u202f12 hours\u202fafter becoming aware of a serious incident, or within\u202f48 hours\u202fafter becoming aware of any other incident. The operator must then submit a written report within\u202f14 days\u202fafter becoming aware of the incident. A serious incident means that has disrupted, is disrupting, or is likely to disrupt the core function of the critical infrastructure concerned. That means the trigger is operational and cybersecurity impact, not only data breach impact<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Hong Kong cybersecurity laws do\u202fnot\u202fcreate a broad statutory private right of action for individuals to sue for a mere breach of the cybersecurity statute itself. Under the PCICSO, the enforcement model is regulatory and criminal. It is directed at compliance, directions, investigation powers, offences and penalties, rather than civil claims by affected individuals.<\/p>\n<p>However, private civil claims may still be brought where the facts of the cybersecurity incident support another cause of action, such as personal data, contract, negligence, breach of confidence, or misuse of private information.<\/p>\n<p>Hong Kong does not have a \u201cclass action\u201d regime. Group claims may still be possible through joinder or limited representative procedures, but those are narrower than class actions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Cybersecurity laws in Hong Kong are typically enforced through regulatory supervision, directions, investigations, offences and penalties, with additional sector-specific oversight where relevant. Under the PCICSO, the main enforcement authority is the Commissioner of Critical Infrastructure Computer-system Security (\u201cthe OCCICS\u201d). The designated authorities currently are the Monetary Authority and the Communications Authority for their respective sectors<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Regulators in Hong Kong have powers of compliance oversight, information-gathering, direction, audit supervision, risk assessment supervision, and formal investigation under the PCICSO.<\/p>\n<p>&nbsp;<\/p>\n<p>The OCCICS and designated authorities may require information and documents, monitor compliance, and issue written directions. The OCCICS has inspection and investigation powers, including warrant-based entry to premises, access to electronic devices and systems, questioning, and evidence collection.<\/p>\n<p>Regulators may require CI operators to carry out risk assessments and audits, including additional assessments or audits by written notice, and to submit the resulting reports.<\/p>\n<p>Non-compliance with these statutory requirements may constitute an offence.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PCICSO, sanctions are mainly organizational fines, but not individual level. Cap 653 provides fixed statutory maxima for specific offences. In broad terms, the penalties range from HK$300,000 to HK$5,000,000, with additional daily fines where the offence continues.<\/p>\n<p>The PCICSO does not provide a turnover-based formula or a general penalty matrix. The applicable sanction depends on the specific offence provision, whether the prosecution proceeds by summary conviction or conviction on indictment, and whether the offence is expressed as a continuing offence.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Enforcement decisions under the PCICSO are open to appeal. The PCICSO establishes an Appeal Panel and case-specific appeal boards under Part 7 and Schedule 7. An appeal board is formed from members of the Appeal Panel to hear each appeal. The board may affirm, reverse, or vary the decision under appeal. It must give reasons in writing for its decision.<\/p>\n<p>To lodge an appeal, the appellant must file a notice of appeal setting out the grounds of appeal with the chairperson of the Appeal Panel, in accordance with Schedule 7. The appeal board then hears and determines the matter. The appeal board must determine certain procedural applications, including applications relating to suspension, as soon as reasonably practicable.<\/p>\n<p>The statutory appeal mechanism is the primary route provided by Cap. 653. As a matter of Hong Kong public law, judicial review may still be available in principle in appropriate cases, subject to ordinary public law rules and the usual requirement to consider or exhaust alternative remedies first.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">10115<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/140800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}