Last review date: 31 December 2024

omnibus – all personal data

Last review date: 31 December 2024

Personal Data (Privacy) Ordinance (Chapter 486 of Laws of Hong Kong) (PDPO)

Last review date: 31 December 2024

There are currently no specific cybersecurity laws or regulations in force. The Protection of Critical Infrastructure (Computer System) Bill (CI Bill) was gazetted on 6 December 2024 and is expected to be passed in 2025. Once passed, the CI Bill is likely to take effect in 2026 - 2027.

Last review date: 31 December 2024

There are no specific laws and regulations relating to non-personal data. Non-personal data falls outside the scope of the PDPO.

Last review date: 31 December 2024

Yes

Data Privacy

In an earlier work report published in 2023, the PCPD proposed a number of amendments to the PDPO, including:

• Establishing a mandatory data breach notification mechanism
• Requiring formulation of a data retention policy
• Empowering the PCPD to impose administrative fines
• Introducing direct regulation of data processors

While no concrete legislative timeline or draft amendments have been publicized thus far, based on a recent comment by the Secretary for Constitutional and Mainland Affairs, the legislative amendments may come in the form of piecemeal amendments as opposed to a drastic overhaul, to minimize the impact on small businesses in particular.

Cybersecurity

On 6 December 2024, the Government gazetted the first draft of the CI Bill. The CI Bill was introduced to the Legislative Council for First Reading and Second Reading on 11 December 2024. It is expected that the CI Bill will likely be passed in 2025 and take effect between 2026 and 2027.

The Government has clarified that the CI Bill is not intended to target personal data or commercial confidential information, but rather to work in parallel with and complement the PDPO.

Based on the CI Bill, Critical Infrastructures (CIs) include:

• Any infrastructure that is essential to the continuous provision in Hong Kong of an essential service in the energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services and telecommunications and broadcasting services sectors; and
• Any other infrastructure whose damage, loss of functionality, or data leakage could hinder or otherwise substantially affect the maintenance of critical societal or economic functions in Hong Kong.

The CI Bill mandates that Critical Infrastructure Operators (CIOs) enhance the security of their critical computer systems (CCSs) by fulfilling statutory organizational, preventive, and incident reporting and response obligations, and minimize disruptions from cyberattacks. A Commissioner of Critical Infrastructure (Computer-system Security) (CI Commissioner) will oversee compliance, with powers to request information, investigate incidents, and direct CIOs to take action. In the banking and finance sector and the telecommunications and broadcasting services sector, the Hong Kong Monetary Authority (HKMA) and Communications Authority respectively will act as "Designated Authorities" with oversight roles, though the CI Commissioner will have ultimate authority.