CHINAGLOBAL EDITION
HOME
NEWS
FOCUS
OPINION
GBA
VIDEO
ADVANCED
Published: 23:01, January 18, 2024 | Updated: 16:38, January 19, 2024
Enhancement of data protection laws is necessary for Hong Kong
By Celeste Lo

The freedom and privacy of communication of Hong Kong residents are enshrined in Article 30 of the Basic Law and Article 14 of the Bill of Rights Ordinance. In order to effectively protect these important constitutional guarantees and to maintain an adequate level of data protection to enhance Hong Kong’s status as a leading international financial center, the Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995. Thereinafter, the PDPO underwent two major amendments: The amendment in 2012 introduced direct marketing provisions and additional protection to cope with new privacy challenges, and the amendment in 2021 criminalized doxxing acts that intrude on personal data privacy. 

While the Hong Kong Special Administrative Region government endeavors to keep the data protection laws in Hong Kong abreast of emerging trends, and the Office of the Privacy Commissioner for Personal Data (PCPD), the data privacy and security regulator in Hong Kong, is known as one of the most proactive enforcers in the world, concerns persist that Hong Kong’s data privacy and cybersecurity laws require urgent amendments to align with international standards and counterparts in some major jurisdictions. 

While the PDPO serves as the cornerstone of data privacy regulation in Hong Kong, it stands alone. Unlike other major international financial centers, Hong Kong currently lacks dedicated cybersecurity laws. The absence of a robust cybersecurity mechanism is particularly evident when compared to its peers.

In contrast, the United Kingdom has established a comprehensive data privacy and cybersecurity framework since the 1990s. The groundbreaking Computer Misuse Act 1990 criminalized key cyber offenses, paving the way for further legislation. The key data privacy laws and regulations include the UK General Data Protection Regulation, and the European Union General Data Protection Regulation, which forms part of the domestic laws of the UK. This piece of regulation was amended accordingly after Brexit. After Brexit, some other domestic legislation, including the UK Data Protection Act 2018 and the Network and Information Security Regulations 2018 have remained major laws that regulate and safeguard data privacy and cybersecurity. 

The Chinese mainland has established a robust legal framework for data privacy and cybersecurity, consisting of major laws like the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL), which provide a solid foundation for personal data protection and cybersecurity. Aside from these major laws, the mainland has implemented sector-specific regulations tailored to protect data in crucial industries such as healthcare, finance, telecommunications and e-commerce. This multilayered approach demonstrates the Chinese authorities’ commitment to data security and privacy across diverse sectors.

While directly comparing data privacy laws across jurisdictions via a quantitative exercise has its weak points, the current landscape in Hong Kong raises the question of whether the existing regulations adequately address the diverse data protection needs of critical industries. 

The number of dedicated data protection laws in Hong Kong is minimal compared to other international financial centers, suggesting a potential need for a more comprehensive legal framework for safeguarding data privacy and cybersecurity.

In October 2021, the HKSAR government initiated preparatory measures to introduce cybersecurity legislation, aiming to strengthen cybersecurity of critical information infrastructure by imposing network security obligations on relevant operators. This proposal was followed up in the chief executive’s 2022 Policy Address, which indicated that the government would launch a public consultation on the enhancement of cybersecurity of critical infrastructure in early 2023. However, the public consultation was postponed, and details of the legislative proposal are yet to be seen. 

The latest Policy Address delivered in October reaffirmed the government’s commitment to legislate for cybersecurity of critical infrastructure, with specific focus on energy, telecommunication, transportation, and financial institutions. While it is encouraging that the chief executive identified for the first time the specific areas that require enhanced cybersecurity protection, it is essential that the government upholds its pledge to introduce the bill in 2024 as set out in the latest Policy Address.

In a Legislative Council meeting in 2022, the government indicated that the Security Bureau had stepped up internal preparatory work for the enactment of cybersecurity legislation. The primary focus of the government would be the establishment of a preventive management regime for critical infrastructures, the setting up of a cybersecurity plan, and the introduction of a regular security assessment plan. Beyond prioritizing these critical areas for data protection legislation, the government should also carefully consider the territorial application of the laws of the People’s Republic of China (PRC laws) on proposed data flows from the mainland to Hong Kong.

How can data flow smoothly between the mainland and Hong Kong while ensuring robust data protection and effective enforcement by both jurisdictions? How could the mainland authority enforce the PRC laws on a Hong Kong entity based in Hong Kong under the “one country, two systems” framework? It behooves the authorities from both sides to address these multifaceted questions through thorough research, insightful analysis and collaborative efforts

In the 2022 Policy Address, the chief executive pledged to continue to actively open up data and encourage public and private organizations to follow the government’s direction for innovative industry applications. To realize this vision, the HKSAR government will explore with the mainland side the arrangements to facilitate a better flow of data between the two sides, with a view to jointly promoting the coordinated development of smart cities in the Guangdong-Hong Kong-Macao Greater Bay Area. 

However, the realization of this grand vision requires meticulous consideration on how the extraterritorial applicability of PRC laws on data privacy and security can be enforced in Hong Kong. Take Article 3 of the PRC PIPL as an example. Pursuant to this Article, the PIPL can be applied to the processing outside the mainland of the personal information of natural persons living in the mainland under three specific circumstances, namely, for the purpose of providing products or services for natural persons in the mainland, analyzing or evaluating the behavior of natural persons in the mainland, and any other circumstances as provided by any law or administrative regulation.

Experience suggests that the extraterritorial effect of PRC laws on data privacy and security does not stay on paper. In fact, on July 21, 2022, the Cyberspace Administration of China imposed a record-breaking penalty of 8.03 billion yuan ($1.12 billion) on Didi Global Inc, a company incorporated in the Cayman Islands. This was one of the first cases wherein the Cyberspace Administration of China launched a cybersecurity review and might be the first case that hit the maximum fine allowed under the PIPL. This landmark case demonstrated the determination of the mainland authority to enforce its data privacy and security law extraterritorially. It also underscored the need for careful data handling practices and compliance with PRC laws by non-China entities to avoid hefty fines and potential operational disruptions.

Given the mainland authority’s strong commitment to enforcing data protection and security laws both domestically and internationally, a key question arises: How can data flow smoothly between the mainland and Hong Kong while ensuring robust data protection and effective enforcement by both jurisdictions? How could the mainland authority enforce the PRC laws on a Hong Kong entity based in Hong Kong under the “one country, two systems” framework? It behooves the authorities from both sides to address these multifaceted questions through thorough research, insightful analysis and collaborative efforts. 

The author is a solicitor, research assistant of the City University of Hong Kong, and a doctorate of Law candidate at Tsinghua University.

The views do not necessarily reflect those of China Daily.

TOP
VISUAL NEWS
ALSO READ
More
Beijing, Moscow key contributors to global governance
Much potential to be tapped in AI cooperation
China, Russia show trade good for partners
Sincerity required for break-the-ice talks
Merz should look to build on past for the future
Visit will bolster championing of fair, equitable and sustainable global system
Starmer should approve Chinese embassy plan
National AI strategy: Pioneering new frontiers, driving tech innovation
NEWS
Hong Kong
Nation
Asia
World
Business
Science
Sports
FOCUS
Life & Art
In-depth China
Quirky
Photo
Graphics
Data
Culture HK
Global Weekly
Eye on Asia
Special
From PR Newswire
OPINION
Editorials
Columnists
David Cottam
Grenville Cross
Richard Cullen
Wilson Lee Flores
Tom Fowdy
Henry Ho
Ho Lok-sang
Ken Ip
Regina Ip
Tony Kwok
Lau Siu-kai
Dominic Lee
Virginia Lee
Quentin Parker
Tu Haiming
Xiao Ping
GBA
GBA Guide
GBA Life
GBA in Figures
GBA Pulse
VIDEO
News
Asia Featured
CDHK In-Depth
China Daily DOCS
Drone and Phone
Girl City
Peak Talk
The Gold
ePaper
Hong Kong Edition
Global Weekly
More
Roundtable
Campus News Awards
Newsletter
Lifestyle Premium
Follow Us
Download Our App
CHINAGLOBAL EDITION
Copyright 1995 - 2025. All rights reserved. The content (including but not limited to text, photo, multimedia information, etc) published in this site belongs to China Daily. Without written authorization from China Daily, such content shall not be republished or used in any form.