Hong Kong Privacy Laws 2025: Data Protection Challenges as Technology Evolves
- Chloe Lau
- Feb 26, 2025
- 6 min read
Updated: Mar 24
Author: Chloe Lau, Associate Solicitor
In 2025, the world is at a critical juncture, navigating the fine line between technological progress and the protection of personal privacy, and Hong Kong is no exception. As a prominent global financial centre and a hub for innovation, Hong Kong has been an experimental ground for advanced technologies such as AI, blockchain, and big data analytics.
However, the swift adoption of these technologies has raised concerns on data privacy, leading to a reassessment of the balance between technological innovation and individual rights. This article examines the development of privacy laws in Hong Kong, the challenges posed by new technologies, and the measures taken to protect personal data in an increasingly digital world.
Hong Kong Privacy Laws 2025: The Legal Foundation
Hong Kong's privacy regulations are primarily governed by the Personal Data (Privacy) Ordinance (PDPO), enacted in 1996. The PDPO established a framework for the collection, use, and protection of personal information, introducing six data protection principles. As technology progressed, the limitations of the PDPO became evident, particularly in addressing cross‑border data transfers, algorithmic decision‑making, and data breaches.
The Push for Change: Notable Data Breaches and Public Concerns
In the early 2020s, several major data breaches exposed the personal information of millions of Hong Kong residents. In 2022, a large telecom provider suffered a cyberattack affecting more than three million customers, triggering public concern and highlighting weaknesses in the existing framework. A further data breach occurred at Hong Kong’s Cyberport, which was reported on our website previously.
In response, a comprehensive review of the PDPO was conducted and the Personal Data (Privacy) (Amendment) Ordinance was proposed. Originally planned for Legislative Council review by the end of 2024, the amendments are expected to be implemented in stages, with full effect anticipated by 2026.
Key Changes Under the Proposed 2024 Amendment Ordinance
The proposed 2024 Amendment Ordinance introduced several key changes, including:
Mandatory Data Breach Notification
Organisations must notify the Privacy Commissioner for Personal Data (PCPD) and affected individuals in the event of a data breach posing significant risk. This provision ensures transparency and accountability.
Enhanced Consent Requirements
Stricter consent requirements for sensitive personal data, such as biometric information and health records. Organisations must obtain explicit consent before collecting, using, or sharing such data, and individuals can withdraw consent at any time.
Regulation of Algorithmic Decision-Making
The amendment regulates the use of AI and machine learning in decision-making processes. Organisations must ensure algorithms are transparent, fair, and free from bias, and individuals can request explanations of automated decisions.
Cross-Border Data Transfer Mechanisms
The amendment established a framework for cross-border data transfers. Organisations must conduct risk assessments before transferring personal data outside Hong Kong and ensure recipient jurisdictions provide adequate data protection.
Increased Penalties for Non-Compliance
To deter violations, the amendment significantly increased penalties for non-compliance with the PDPO. Organisations face fines of up to 10% of their annual turnover or HK$10 million, whichever is higher.
Some businesses forced to reevaluate their data practices - others supportive despite the added burden
The 2024 Amendment Ordinance has significantly impacted both businesses and individuals in Hong Kong. Businesses have had to reevaluate data practices and implement robust data protection measures. While some initially viewed the reforms as burdensome, others recognised the benefits of enhanced data protection, especially in establishing trust from customers while mitigating reputational risk from data breaches.
Individuals now have greater control over their personal data. The right to withdraw consent, request explanations for algorithmic decisions, and receive timely notifications of data breaches has empowered individuals to protect their privacy in an increasingly digital world.
Hurdle: regulating cross-border data transfers could hinder international business operations
Implementing the 2024 Amendment Ordinance has not been without challenges and controversies. One contentious issue has been the regulation of cross-border data transfers, which critics argue could hinder international business operations and create barriers to data-driven innovation.
Nonetheless, it appears that proposals to amend the PDPO have been postponed due to concerns over the financial strain on businesses of smaller scales. The government may consider a phased approach to ease the burden on local enterprises. As of the date hereof, no definitive timeline has been announced for the amendments, with updates to follow once concrete proposals are ready.
The Future: Privacy in the Age of AI and Big Data
As Hong Kong continues to embrace technological innovation, privacy protection remains a pressing concern. The rise of AI, big data, and the Internet of Things (IoT) presents both opportunities and risks, requiring a proactive approach to data protection.
Moving forward, Hong Kong must strike a balance between fostering innovation and safeguarding individual rights. Ongoing collaboration between the government, businesses, and civil society is needed to address emerging challenges and adapt the legal framework to the evolving digital landscape.
The 2024 Advisory Guidelines on the Use of Personal Data in Artificial Intelligence: an interim framework
In the interim, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” in June 2024, which provides a framework for organisations to responsibly use personal data in AI systems while complying with the PDPO. These guidelines emphasize transparency, accountability, and fairness in AI-driven processes that impact individuals.
In summary, the guidelines are as follows:
Lawfulness and Fairness:
Organisations must collect and use personal data legally and ethically, obtaining explicit consent and informing individuals about its use in AI systems.
Purpose Limitation:
Data should only be used for disclosed purposes, avoiding unrelated AI applications without consent.
Data Minimization:
Collect only necessary data for AI purposes, minimising excessive or irrelevant information to reduce privacy risks.
Transparency and Explainability:
Organisations must be transparent about how AI systems operate, including the logic behind recommendations or decisions. Individuals should be able to understand and, if necessary, challenge outcomes that affect them.
Accuracy and Fairness:
AI systems must be trained on accurate, representative, and unbiased data to prevent discriminatory or unfair outcomes. Regular audits and testing are recommended to ensure fairness and reliability.
Accountability and Security:
Organisations are accountable for safeguarding personal data used in AI systems. Robust security measures must be implemented to prevent unauthorized access, breaches, or misuse.
Individual Rights:
Allow individuals to access, correct, or withdraw their data, providing mechanisms to exercise these rights.
Albeit not legally binding, these guidelines aim to balance the benefits of AI innovation with the protection of individual privacy, ensuring that AI systems are used ethically and responsibly in Hong Kong. Organisations are encouraged to adopt these principles to build trust and comply with legal obligations.
The 2024 Amendment and the PCPD guidelines show alertness to data challenges now and ahead
In 2025, Hong Kong stands as a testament to the importance of adapting privacy laws to the realities of the digital age. The 2024 Amendment Ordinance, once enacted, represents a significant step forward in strengthening data protection and empowering individuals; whereas the recent guidelines published by the PCPD also shed light on the regulatory stance in this respect. As technology continues to evolve, so must the legal framework that governs its use. By prioritizing privacy and encouraging a culture of accountability, Hong Kong can face the complexities of the digital age with more confidence and ensure that innovation serves the best interests of all its citizens.
How Ravenscroft & Schmierer Can Help?
Navigating legal and regulatory issues in Hong Kong requires timely, practical and legally sound advice. Ravenscroft & Schmierer assists individuals and businesses in understanding their rights, obligations and available options, with a focus on clear strategy and efficient outcomes.
Our team advises on both preventative compliance and dispute resolution, helping clients assess risks, respond to evolving legal requirements and take decisive action when needed. If you require guidance on how these issues may affect your situation, contact us to discuss your circumstances and the steps available to you.
FAQ: Hong Kong Privacy Laws 2025
What are Hong Kong privacy laws governed by?
Hong Kong privacy laws are governed by the Personal Data (Privacy) Ordinance.
What changes are proposed under the 2024 Amendment Ordinance?
The amendments introduce mandatory breach notification, AI regulation, cross‑border controls, enhanced consent, and higher penalties.
Are the amendment provisions in force yet?
As of 2025, the amendments have not been fully enacted, and no definitive implementation timeline has been announced.
How do AI systems affect privacy compliance?
Businesses using AI must ensure transparency, explainability, fairness, and accountability when processing personal data.
Do the PCPD AI guidelines have legal force?
No. They are advisory but reflect regulatory expectations.
How can Ravenscroft & Schmierer assist with data protection compliance?
Ravenscroft & Schmierer advises businesses on PDPO compliance, data governance, breach response, and regulatory risk.
Does Ravenscroft & Schmierer assist with cross‑border data transfer issues?
Yes. We advise on data transfer risk assessments and compliance strategies involving international operations.
When should organisations seek legal advice on privacy issues?
Advice should be sought before adopting new technologies, transferring personal data abroad, or responding to data breaches.
Disclaimer: Whilst every effort has been made to ensure the accuracy of this article it is general in nature and does not constitute legal advice of any kind. You should seek your own personal legal advice before taking legal action. We accept no liability whatsoever for loss arising out of the use or misuse of this article.
For specific advice about your situation, please contact:
Associate
+852 2388 3899
Before you share that next photo online, consider what hidden information it might contain. Using an EXIF data removal service like MetadataRemover.org can help you quickly and easily strip out potentially sensitive details. This includes things like the exact location where the photo was taken (if GPS was on), the make and model of your camera or phone, and even the date and time. Taking a moment to clean your images before posting is a good habit for anyone who wants to maintain better control over their personal data and enhance their online privacy.