A Minor Matter or a Major Breach? Hong Kong Data Breach Risks and Legal Implications
- Anna Lau
- Dec 20, 2023
- 4 min read
Updated: 3 days ago
Author: Anna Lau, Partner
In today’s interconnected digital world, cybersecurity breaches have become increasingly common, posing major legal and ethical challenges. When sensitive information is compromised, consequences can be severe for individuals and organisations alike. This was the case with the recent cybersecurity breach at Hong Kong’s Cyberport, a leading government‑owned technology hub.
The incident, as well as the limited reporting surrounding it, raises significant concerns about data privacy, legal liabilities of data users, and the rights of affected individuals. The following sections analyse the incident, its disclosure, legal implications for Cyberport, and available remedies.
The scene of the crime
Cyberport is a creative digital community in Hong Kong housing over 1,500 start‑ups and technology firms, focusing on fintech, AI, big data and smart city development. Owned by the Hong Kong SAR Government, Cyberport presents itself as a ‘digital technology flagship’.
This portrayal makes the occurrence of a serious data incursion particularly striking.
The Incident and Its Reporting
The breach was discovered in mid‑August 2023 but was not publicly disclosed until September, almost one month later. Prior to Cyberport’s announcement, media reports indicated that a hacker group known as Trigona had threatened to publish over 400GB of data unless a ransom was paid. Cyberport declined to pay, and the data was later released on the dark web.
Cyberport’s statement confirmed that compromised data included names and contact details, human‑resources information of employees, former employees and job applicants, as well as a limited number of credit card records.
The delay in disclosure and lack of follow‑up information prompted concerns regarding transparency and timeliness.
Legal Implications for Cyberport
Cyberport’s legal exposure as a data user is substantial. Two critical issues arise:
Whether Cyberport was negligent in its handling of personal data.
Whether Cyberport breached data protection laws in Hong Kong and other jurisdictions depending on affected individuals’ nationalities.
Potential Violations of Data Protection Laws
The incident constitutes a data breach, exposing personal data to unauthorised access and risk of misuse. Cyberport therefore has a duty to maintain effective data breach handling policies and demonstrate accountability.
As at January 2023, over 120 jurisdictions had enacted data privacy laws, including Hong Kong, Mainland China, and the European Union.
Hong Kong PDPO
Under the Personal Data (Privacy) Ordinance (PDPO), the Privacy Commissioner for Personal Data (PCPD) may issue enforcement notices for contraventions. Affected individuals may also pursue civil claims including breach of privacy or negligence.
The delayed reporting may arguably contravene Data Protection Principle 4, potentially triggering investigation and remediation orders.
Mainland China PIPL
China’s Personal Information Protection Law (PIPL) requires breach notification within 72 hours and imposes fines up to 50 million RMB or 5 percent of annual revenue. For PIPL purposes, Hong Kong is treated as outside of China, creating additional compliance complexity.
EU GDPR
If EU citizens were affected, the GDPR applies extraterritorially. Organisations may face fines of up to 4 percent of global turnover or €20 million, and strict 72‑hour reporting requirements.
Has Cyberport Been Negligent?
As of the date hereof, investigations by the PCPD and Hong Kong Police Force remain ongoing. Statements indicating that sensitive data was stored on a shared drive raise questions about data governance standards, though no conclusions have yet been published.
Steps Individuals Can Take
Affected individuals may seek:
Full disclosure of compromised data from Cyberport.
Complaints to the PCPD.
Data access, rectification and erasure rights under GDPR.
Civil claims for compensation and distress.
Courts may consider the nature of the breach, suffered losses, and legal obligations when determining liability.
Priorities for Data Custodians
The Cyberport incident highlights the importance of:
Immediate breach reporting.
Robust data security protocols.
Transparent public communication.
Proactive regulatory cooperation.
Failure to adopt these measures may aggravate penalties and undermine public trust.
How Ravenscroft & Schmierer Can Help?
Cyber incidents raise complex questions of regulatory compliance, liability, and cross‑border exposure. Ravenscroft & Schmierer advises organisations and individuals on data breach response, privacy compliance, regulatory engagement and potential civil claims.
If you are affected by a Hong Kong data breach or responsible for managing data risk, contact us to discuss your situation and available options.
FAQ: Hong Kong Data Breach
What qualifies as a data breach in Hong Kong?
A breach occurs when personal data is accessed, disclosed, lost or processed without authorisation.
Does Hong Kong require mandatory breach reporting?
Mandatory reporting is not yet legislated under the PDPO but is strongly encouraged and proposed under future amendments.
Can individuals claim compensation after a data breach?
Yes. Individuals may pursue civil claims if damage or distress has been suffered.
Can overseas laws apply to Hong Kong data breaches?
Yes. GDPR or PIPL may apply depending on affected individuals’ nationality and data location.
What penalties can organisations face?
Depending on jurisdiction, penalties may include fines, enforcement notices and civil liability.
How can Ravenscroft & Schmierer assist organisations affected by a Hong Kong data breach?
Ravenscroft & Schmierer advises organisations on managing data breach incidents, including regulatory reporting obligations, engagement with the Privacy Commissioner for Personal Data, risk assessment across jurisdictions, and potential civil exposure.
Does Ravenscroft & Schmierer advise individuals whose personal data has been compromised?
Yes. We advise individuals on their rights following a data breach, including regulatory complaints, access and disclosure requests, and potential legal claims for loss or distress under applicable data protection laws.
Can Ravenscroft & Schmierer assist with cross‑border data protection issues arising from a Hong Kong data breach?
Yes. Where a data breach may engage foreign data protection regimes such as GDPR or Mainland China’s PIPL, we advise on cross‑border exposure, compliance obligations, and coordination with overseas counsel where appropriate.
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
For specific advice about your situation, please contact:
Partner
+852 2388 3899
Comments