The Office of the Privacy Commissioner for Personal Data of Hong Kong summarised enforcement trends and plans to further amend the Personal Data (Privacy) Ordinance.

By Kieran Donovan and Jacqueline Van

On 9 November 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) published its annual report titled “A New Era in the Regulatory Regime for the Protection of Personal Data” (Annual Report). The Annual Report details the work of the Commissioner during 2021-2022, its observations on trends of complaints, and expectations for the year ahead. In particular, the Annual Report reflects the Commissioner’s continued efforts to enforce the new doxxing offence, and a likely further legislative review of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) in the coming year.

Legislative Review of the PDPO

The Commissioner announced in the Annual Report that it will be working closely with the government to carry out a review of the PDPO. The review will initiate legislative proposals to align Hong Kong’s privacy regime (by amending the PDPO) with international norms and regulatory practices.

While discussions of a PDPO update have been relatively quiet since 2020, the issue arose again at a Policy Briefing meeting of the Legislative Council Panel on Constitutional Affairs which took place in October 2022. During the meeting, the Commissioner stated that amendment directions include establishing a mandatory data breach notification mechanism, requiring data users to devise a data retention period policy, empowering the Commissioner to hand down administrative fines, and directly regulating data processors.

Although the concrete timeline is still unclear, the review and amendment appear to be on the Commissioner’s radar, with more specific legislative proposals to the PDPO expected.

Enforcement of the New Doxxing Offence

Doxxing acts (i.e., publicly providing personally identifiable information about an individual or related persons, usually via the internet and often with malicious intent) became a major focus for the Commissioner in mid-2019. In October 2021, the Personal Data (Privacy) (Amendment) Ordinance 2021 (Amendment Ordinance) came into effect to criminalise doxxing and empower the Commissioner to carry out criminal investigations, institute prosecutions, and issue cessation notices. In the Annual Report, the Commissioner emphasised its proactive efforts in combatting doxxing both before the Amendment Ordinance, as well as its extensive enforcement actions and exercise of powers after the Amendment Ordinance came into effect. These efforts included handling 928 doxxing cases, issuing over 600 cessation notices to various online platforms, and commencing criminal investigations into 65 cases.

In light of the Commissioner’s new powers to serve cessation notices on non-Hong Kong service providers to request the removal of doxxing content, the Commissioner also noted its collaboration with other data protection authorities on privacy issues involving cross-jurisdictional elements. For instance, in October 2021, the Commissioner became co-chairman of the International Enforcement Working Group (IEWG) of the Global Privacy Assembly. This appointment reflects the Commissioner’s efforts to strengthen international cooperation and facilitate cross-border enforcement, especially in light of the extraterritorial effect of the cessation notice regime.

The Annual Report confirms that enforcement of doxxing activities will remain a key priority for the Commissioner.

Please also refer to this Latham blog post “Hong Kong’s Anti-Doxxing Laws — the State of Enforcement One Year On” for further observations on doxxing-related enforcement since the Amendment Ordinance came into effect.

Other Complaint and Enforcement Trends

The Annual Report also detailed trends in complaints the Commissioner received in the reporting year, which may inform the Commissioner’s likely areas of focus in 2023. Excluding doxxing related complaints and cases, the Commissioner noted the following trends:

  • Private organisations such as banks, financial institutions, and property management companies faced the highest number of complaints so far. Other complaints were made against individuals and public bodies such as healthcare organisations, law enforcement agencies, and education institutes.
  • The majority of complaints alleged improper use and disclosure of personal data (over 40%), improper collection of personal data (almost 30%), and inadequate security of personal data (almost 12%).
  • Most complaints raised issues with information technology, especially online social networks and smartphone apps. In light of the privacy risks related to the use of social media, the Commissioner issued the Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps in April 2021, which provided practical guidance to users for protecting their data privacy.

The Commissioner also ramped up its monitoring and compliance actions during the reporting year:

  • The Commissioner may initiate compliance checks or investigations if an organisation violates the PDPO. Following a compliance action, the Commissioner will generally point out any inconsistencies or deficiencies to the organisation and advise it on actions to correct or remedy the breaches and avoid recurrence of similar incidents. In 2021-2022, the Commissioner carried out 382 compliance actions, an increase of 7% compared to 2020-21.
  • During the reporting year, the Commissioner received 142 data breach notifications. Data breach incidents included hacking; loss of documents or portable devices; inadvertent disclosure of personal data by fax, email, or post; unauthorised access of personal data by internal staff; accidental erasure of personal data; and system misconfiguration. The Commissioner conducted a compliance check or investigation into each of these data breach incidents and also published an investigation report on a hacking incident that resulted in a leakage of 1,600 customers’ personal data.
  • The Commissioner also inspected the customers’ personal data systems of two public utility companies on-site in 2021. The Commissioner detailed its findings and recommendations in its inspection report issued in August 2021.

The complaints and enforcement trends demonstrate focus areas of regulatory concern by the Commissioner. The above trends might indicate the Commissioner’s enforcement strategy in the coming years, as well as the review and potential amendment of the PDPO.