Home / News & Media / Latest News / Looking back, looking forward: Highlights and prospects in Hong Kong data privacy regulation

Looking back, looking forward: Highlights and prospects in Hong Kong data privacy regulation

02Jan2025

There is never a dull moment in data privacy and protection. The global landscape is becoming increasingly complex with overlapping regulation and lack of international convergence. Although Hong Kong does not have these issues yet, 2024 witnessed some significant developments in 2024, setting the stage for an eventful 2025. In this article, Pádraig Walsh from our Data Privacy team highlights three key developments in 2024 and previews three potential highlights for the year ahead.

2024 in review

PCPD publishes “Artificial intelligence: Model personal data protection framework”

Governments and regulators around the world have been grappling with the ethical, legal and societal issues arising from the increasing development and deployment of generative artificial intelligence (AI) systems. The EU has adopted the EU AI Act, a general law that positions AI as a category of product regulation. The law applies to artificial intelligence systems and general-purpose AI models in all sectors and domains, subject to certain exceptions. Outside of the EU, most jurisdictions are presently avoiding general laws, and are regulating or providing guidance on AI in the context in which it is used. This is mostly through existing legal frameworks, but sometimes also supplemented by specific regulations. Hong Kong has pursued this context-based approach to regulation of AI, and the Office of the Privacy Commissioner for Personal Data (PCPD) has taken the lead.

On 11 June 2024, the PCPD released its comprehensive Model Personal Data Protection Framework [link], providing recommendations and best practices for the governance of AI and protection of personal data privacy for organisations that procure, implement and use AI systems. Those recommendations include four key measures, being:

1.       Establish AI strategy and governance;

2.       Conduct risk assessment and human oversight;

3.       Implement continuous management of AI systems; and

4.       Communicate and engage with stakeholders.

The AI Model Personal Data Protection Framework is a key document for business in Hong Kong to review, consider and implement. It will become a touchstone for the PCPD in future guidelines, policies and enforcement action.

PCPD findings on the operation of the Worldcoin project in Hong Kong

The PCPD was very active in investigating and reporting on data breaches among government and public institutions in 2024. However, perhaps the most engaging report was the PCPD investigation into the operation of the Worldcoin project in Hong Kong [link]. It was the moment when the fast and loose world of cryptocurrency met the will and might of global privacy regulators – including in Hong Kong.

Participants of the Worldcoin project needed to allow the relevant organisation collect their face and iris images through iris scanning to verify their humanness and generate iris codes. The participants then obtained a registered identity or digital passport, after which the participants would be able to receive Worldcoin tokens at regular intervals for free. 8,032 persons showed up at six premises across Hong Kong and scanned their irises and faces.

The PCPD was not amused. Some of the contraventions included:

  • Collection of the face and iris images by the Worldcoin project was unnecessary and excessive.
  • The Privacy Notice and Biometric Data Consent Form provided at the operating locations were not available in Chinese. No persons at the operating locations offered any explanation or confirmed the participants’ understanding of the aforesaid documents, nor did they explain the possible risks of disclosure of biometric data.
  • The Privacy Notice and Biometric Data Consent form did not contain the prescribed information under the PDPO to be provided on or before the collection of personal data.
  • Worldcoin proposed a retention period of a maximum of 10 years for the purpose of training AI models for the user verification process. This was too long and amounted to prolonged retention of personal data.
  • Participants did not have the means to exercise their rights of data access and correction.

The PCPD served an enforcement notice on Worldcoin Foundation, directing it to cease all operations of the Worldcoin project in Hong Kong in scanning and collecting iris and face images of members of the public using iris scanning devices.

PCPD compliance check on use of AI

We also liked the compliance check report published by the PCPD in February 2024 [link] on the use of AI by 28 organisation from various sectors, including telecommunications, finance and insurance, beauty services, retail, transportation and education sectors, and government departments. The findings included:

  • 21 organisations used AI in their day-to-day operations;
  • 19 organisations established internal AI governance frameworks;
  • Only 10 organisations collected personal data through AI products and services;
  • Eight out of the 10 organisations had conducted privacy impact assessments prior to the development or use of AI products and services;
  • All of the 10 organisations implemented appropriate security measures to ensure that the personal data held by them was protected against unauthorised or accidental access, processing, erasure, loss or use in the course of the development or use of AI products or services; and
  • Among the 10 organisations, nine of them retained personal data collected through the AI products or services. Out of these, eight organisations specified retention periods for personal data and would delete or anonymise the data when the original purpose of collection has been achieved. The remaining organisation allowed data subjects to delete their personal data themselves.

No contravention of the Personal Data (Privacy) Ordinance (PDPO) was identified during the compliance check process.

It would be an interesting trend assessment if this compliance check became an annual exercise.

2025 in prospect

Protection of Critical Infrastructure (Computer Systems) Bill

If privacy lawyers in Hong Kong focused a lot on AI governance in 2024, the new cybersecurity law will be a key focus for 2025. The Government published the Protection of Critical Infrastructures (Computer Systems) Bill in the Gazette on 6 December 2024, and introduced it into the Legislative Council for First Reading and Second Reading on 11 December 2024 [link]. Once the Bill is passed, the government intends to set up a new Commissioner’s Office with professionals from the Digital Policy Office and the Police within a year for the implementation of the proposed legislation, with new regulations coming into effect six months after that.

The Security Bureau has stated that the proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their critical computer systems, and does not target personal data nor commercial secrets contained within those systems [link]. Nonetheless, the governance framework that critical infrastructure operators must adopt, and the incident reporting and response obligations, are areas of expertise for privacy practitioners.

Key highlights of the proposed legislation include:

  • Critical infrastructure covered by the legislation will include infrastructure for delivering essential services in eight designated sectors, and infrastructure for important society or economic activities (such as major sports and performance venues). The eight designated sectors are energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting.
  • There are three types of obligations, being organisational, preventive, and reporting and response.
  • The preventive obligations will include the obligation to formulate and implement a computer system security management plan, conduct a computer system security risk assessment at least annually, and conduct a computer system security audit at least once every two years.
  • The reporting and response obligations will include notifying the Commissioner’s Office of the occurrence of computer system security incidents in respect of critical computer systems. The reporting time frame will be 12 hours for serious incidents, and 48 hours for other incidents.
  • Historically, some essential service sectors have been regulated comprehensively by sector regulators. This is recognised by the proposal that organisational and preventive obligations (but not reporting and response obligations) under the new law can be fulfilled by designated sector regulators. The intention is that the Hong Kong Monetary Authority will be act as the authority responsible for regulating some service providers in the banking and financial services sector, and the Communications Authority will do so for some service providers in the communications and broadcasting sector.

Some issues continue to attract attention and debate, including the extent of certain enforcement powers and extra-territorial considerations. Nonetheless, this new legislation in the Hong Kong firmament has been generally welcomed, and organisations are busying themselves to be fully prepared once the legislation takes effect.

GBA Cross-Boundary Data Flow

Future economic development in Hong Kong will be even more closely linked to its economic integration with the rest of China. Various initiatives across a number of spheres of activity have been launched to facilitate greater ease of movement of goods, people … and data.

Hong Kong is a different legal jurisdiction to Mainland China. The laws of Hong Kong and Mainland China on the transfer of personal data from the respective jurisdictions are very different. The requirements for the transfer of personal information from Mainland China to other locations are more strict and procedural than is the corresponding case in Hong Kong. So, facilitating data flow in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) is an important initiative for the development of the economy in Hong Kong and the GBA generally.

Starting from 1 November 2024, the Standard Contract for Cross-Boundary Flow of Personal Information (“GBA Standard Contract”) has been extended to cover all companies registered or located in nine GBA cities or Hong Kong SAR. This move streamlines the safe and convenient transfer of personal data within the GBA. Additionally, restrictions on the maximum amount of personal data which can be transferred have been lifted, and the filing process has been shortened. The number of data protection due diligence areas reduced from six categories to three.

This is a significant advance and addresses some concerns raised by businesses during the previous trial period of the initiative. 2025 could be the year that adoption of the GBA Standard Contract becomes more widespread.

Piecemeal PDPO updates

It’s the hope that kills you. On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the PCPD, reported on recommended changes to the PDPO. Proposed changes included a mandatory data breach notification requirement, new data retention obligations, and the power for the PCPD to issue administrative fines for non-compliance. In February 2024, the Privacy Commissioner reported at the Legislative Council on Constitutional Affairs that the PCPD was working alongside the Government to review the PDPO to strengthen data protection in Hong Kong. All was on track, albeit a rather longer track than expected.

However, at a Legislative Council meeting on 21 October 2024 [link], the Secretary for Constitutional and Mainland Affairs stated that these reforms are presently on hold. There are concerns about the potential financial strain on small businesses in the current economic climate. Instead, a piecemeal approach may be used to roll out amendments. The hope is that this might mitigate the impact of legislative changes on local enterprises.

It is unclear whether and when the government will resume its efforts to amend the PDPO. We are optimists. We will still include this in our list of things to look forward to in 2025.

Conclusion

Hong Kong may not be the most active jurisdiction in legislative reform. However, Hong Kong has an active privacy regulator that provides significant guidance across many key data privacy issues, and also conducts a broad range of compliance checks, investigations and enforcement actions. We have much to keep track of and to look forward to in the coming 12 months.

Pádraig Walsh and Vanessa Leung

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 02 January 2025.

Padraig Walsh, Data Privacy, Latest News, News & Media, Legal Updates, Cybersecurity