Sharon Chen and Glenn Haley of Bryan Cave Leighton Paisner have a series of articles concerning Hong Kong’s possible protection-strengthening amendments o the Personal Data (Privacy) Ordinance (“PDPO”). They write:
At present, the PDPO does not require data users to notify data breaches, either to the Privacy Commissioner for Personal Data (“PCPD”) or to the data subjects concerned. To date, reporting to the PCPD has been voluntary and only was encouraged as a matter of good practice. Following recent incidents of personal data privacy breaches (for example, the data breach incident involving Cathay Pacific and Hong Kong Dragon Airlines (as it then was) in 2018 ), public concerns about the adequacy of the PDPO began to find voice.
On 20 January 2020, the Hong Kong Government proposed a series of amendments to the PDPO with a view to strengthening the protection for personal data .
So far, they have posted two parts discussing proposed amendments. The first part covers proposed data breach notification requirements.