.png)
In 2025, the world is at a critical juncture, navigating the fine line between technological progress and the protection of personal privacy, and Hong Kong is no exception. As a prominent global financial centre and a hub for innovation, Hong Kong has been an experimental ground for advanced technologies such as AI, blockchain, and big data analytics. However, the swift adoption of these technologies has raised concerns on data privacy, leading to a reassessment of the balance between technological innovation and individual rights. This article examines the development of privacy laws in Hong Kong, the challenges posed by new technologies, and the measures taken to protect personal data in an increasingly digital world.
Author: Chloe Lau, Associate Solicitor
The Basis of Privacy Laws in Hong Kong
Hong Kong's privacy regulations are primarily governed by the Personal Data (Privacy) Ordinance (PDPO), enacted in 1996. The PDPO established a framework for the collection, use, and protection of personal information, introducing six data protection principles. As technology progressed, the limitations of the PDPO became evident, struggling to address issues like cross-border data transfers, algorithmic decision-making, and data breaches.
The Push for Change: Notable Data Breaches and Public Concerns
In the early 2020s, several significant data breaches exposed the personal information of millions of Hong Kong residents. In 2022, a major telecom company experienced a cyberattack that compromised the data of over 3 million customers, sparking public outrage and underscoring the inadequacies of the existing legal framework. A less severe but similarly embarrassing data breach occurred only recently at Hong Kong’s Cyberport, as reported on our website earlier.
In response, a thorough review of the PDPO was conducted, and the Personal Data (Privacy) (Amendment) Ordinance was proposed. This proposed legislation was originally set to be put before the Legislative Council by the end of 2024, and once enacted, would likely be introduced gradually, with full implementation anticipated by 2026.
Key Changes Under the Proposed 2024 Amendment Ordinance
The proposed 2024 Amendment Ordinance introduced several key changes, including:
Mandatory Data Breach Notification
Organisations must notify the Privacy Commissioner for Personal Data (PCPD) and affected individuals in the event of a data breach posing significant risk. This provision ensures transparency and accountability.
Enhanced Consent Requirements
Stricter consent requirements for sensitive personal data, such as biometric information and health records. Organisations must obtain explicit consent before collecting, using, or sharing such data, and individuals can withdraw consent at any time.
Regulation of Algorithmic Decision-Making
The amendment regulates the use of AI and machine learning in decision-making processes. Organisations must ensure algorithms are transparent, fair, and free from bias, and individuals can request explanations of automated decisions.
Cross-Border Data Transfer Mechanisms
The amendment established a framework for cross-border data transfers. Organisations must conduct risk assessments before transferring personal data outside Hong Kong and ensure recipient jurisdictions provide adequate data protection.
Increased Penalties for Non-Compliance
To deter violations, the amendment significantly increased penalties for non-compliance with the PDPO. Organisations face fines of up to 10% of their annual turnover or HK$10 million, whichever is higher.
Some businesses forced to reevaluate their data practices - others supportive despite the added burden
The 2024 Amendment Ordinance has significantly impacted both businesses and individuals in Hong Kong. Businesses have had to reevaluate data practices and implement robust data protection measures. While some initially viewed the reforms as burdensome, others recognised the benefits of enhanced data protection, especially in establishing trust from customers while mitigating reputational risk from data breaches.
Individuals now have greater control over their personal data. The right to withdraw consent, request explanations for algorithmic decisions, and receive timely notifications of data breaches has empowered individuals to protect their privacy in an increasingly digital world.
Hurdle: regulating cross-border data transfers could hinder international business operations
Implementing the 2024 Amendment Ordinance has not been without challenges and controversies. One contentious issue has been the regulation of cross-border data transfers, which critics argue could hinder international business operations and create barriers to data-driven innovation.
Nonetheless, it appears that proposals to amend the PDPO have been postponed due to concerns over the financial strain on businesses of smaller scales. The government may consider a phased approach to ease the burden on local enterprises. As of the date hereof, no definitive timeline has been announced for the amendments, with updates to follow once concrete proposals are ready.
The Future: Privacy in the Age of AI and Big Data
As Hong Kong continues to embrace technological innovation, privacy protection remains a pressing concern. The rise of AI, big data, and the Internet of Things (IoT) presents both opportunities and risks, requiring a proactive approach to data protection.
Moving forward, Hong Kong must strike a balance between fostering innovation and safeguarding individual rights. Ongoing collaboration between the government, businesses, and civil society is needed to address emerging challenges and adapt the legal framework to the evolving digital landscape.
The 2024 Advisory Guidelines on the Use of Personal Data in Artificial Intelligence: an interim framework
In the interim, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” in June 2024, which provides a framework for organisations to responsibly use personal data in AI systems while complying with the PDPO. These guidelines emphasize transparency, accountability, and fairness in AI-driven processes that impact individuals.
In summary, the guidelines are as follows:
Lawfulness and Fairness:
Organisations must collect and use personal data legally and ethically, obtaining explicit consent and informing individuals about its use in AI systems.
Purpose Limitation:
Data should only be used for disclosed purposes, avoiding unrelated AI applications without consent.
Data Minimization:
Collect only necessary data for AI purposes, minimising excessive or irrelevant information to reduce privacy risks.
Transparency and Explainability:
Organisations must be transparent about how AI systems operate, including the logic behind recommendations or decisions. Individuals should be able to understand and, if necessary, challenge outcomes that affect them.
Accuracy and Fairness:
AI systems must be trained on accurate, representative, and unbiased data to prevent discriminatory or unfair outcomes. Regular audits and testing are recommended to ensure fairness and reliability.
Accountability and Security:
Organisations are accountable for safeguarding personal data used in AI systems. Robust security measures must be implemented to prevent unauthorized access, breaches, or misuse.
Individual Rights:
Allow individuals to access, correct, or withdraw their data, providing mechanisms to exercise these rights.
Albeit not legally binding, these guidelines aim to balance the benefits of AI innovation with the protection of individual privacy, ensuring that AI systems are used ethically and responsibly in Hong Kong. Organisations are encouraged to adopt these principles to build trust and comply with legal obligations.
The 2024 Amendment and the PCPD guidelines show alertness to data challenges now and ahead
In 2025, Hong Kong stands as a testament to the importance of adapting privacy laws to the realities of the digital age. The 2024 Amendment Ordinance, once enacted, represents a significant step forward in strengthening data protection and empowering individuals; whereas the recent guidelines published by the PCPD also shed light on the regulatory stance in this respect. As technology continues to evolve, so must the legal framework that governs its use. By prioritizing privacy and encouraging a culture of accountability, Hong Kong can face the complexities of the digital age with more confidence and ensure that innovation serves the best interests of all its citizens.
Disclaimer: Whilst every effort has been made to ensure the accuracy of this article it is general in nature and does not constitute legal advice of any kind. You should seek your own personal legal advice before taking legal action. We accept no liability whatsoever for loss arising out of the use or misuse of this article.
For specific advice about your situation, please contact:
Associate
+852 2388 3899
Comments