and alinea would like to keep in touch with you and to keep you informed of developments in the law and the ways in which we can help, advise and share risk with you.

To do this, we need your agreement and we need to make certain commitments to you about how we will use your personal data:

  • We will only use your personal data to send you relevant news and updates, announcements and invitations to events, and information about the firm.
  • We will not pass your personal data to any marketing agencies or other third parties, except for the purpose of us communicating with you, or as required by law.
  • You will be able to access the personal data that we hold about you and to correct it by contacting our data manager at
  • You can withdraw your agreement at any time.

If you would like us to keep in touch and keep you informed, please do click the submit button.

We look forward to keeping you interested in what we have to say, and to working with you !

Hong Kong Businesses Need a Bespoke Data Retention Policy!

Be prepared for new personal data privacy rules which are expected to become effective next year.

October, 2020

Hong Kong Businesses Need a Bespoke Data Retention Policy!

In this Room 228 Newsletter we look at the new personal data privacy rules which will soon have a significant impact on all Hong Kong businesses. While Apple-fans are keenly anticipating the new privacy protocol to be introduced in the new iOS 14 which should (maybe) help to protect Apple from privacy scandals, Hong Kong businesses should keep a close eye on and be prepared for new personal data privacy rules which are expected to become effective next year.


There are 6 key proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (PDPO):

  • new mandatory data breach notification mechanism
  • introduction of a data retention period
  • strengthening sanctioning powers
  • direct regulation of data processors
  • redefining “personal data
  • regulation of disclosure of personal data of other data subjects

New mandatory data breach notification

This proposed new mandatory data breach notification mechanism will require data users to report data breaches which amount to a “real risk of significant harm” to the Privacy Commissioner within 5 business days and the affected data subjects should also be informed of the breaches. The notification may be provided by email, fax (regular readers will be aware of our strong views on the anachronistic use of the obsolete fax machine!) or post.

Data retention policy

The general principle under PDPO is that personal data should not be kept longer than necessary for a legitimate purpose. The longer the retention period, the higher privacy risk it attracts – simple logic (out of sight out of mind). The PDPO is still not seeking to impose any uniform retention policy, which means Hong Kong businesses will be expected to create, maintain, and implement their own effective record-keeping regimes for different classes of records containing personal data for specific purposes. Legal requirements under different laws and regulations will impact on the designated retention periods (e.g. employment and tax).

Sanctioning Powers

Currently, the maximum penalty for contravention is a fine of HK$50,000 which is (very) low by international standards. The changes are expected to increase the maximum fines and penalties under the PDPO, including the introduction of an administrative fine linked to the annual turnover of the data user, which for big business could mean BIG money!

Direct Regulation of data processors

Data processors are businesses which process personal data on behalf of another person, such as outsourced service providers. The PDPO currently only requires data users to impose their data protection measures on data processors by contractual means (i.e. under contracts), but data processors are not directly accountable for any data breach. This new proposal will impose legal obligations on data processors to observe and be directly liable under the PDPO for a retention period, security and mandatory notification of data breaches.

Redefinition of “Personal Data

In view of the prevalent use of tracking and data analytical tools (do use Google Map, Gmail, Strava much?), it is proposed that the definition of personal data be expanded to include information that relates to an “identifiable” person, instead of only an “identified” person.


First, what is doxing? It is the internet-based practice of researching and publicly broadcasting private or identifying information about an individual or organization.

Another new (and topical) feature being proposed is the introduction of specific safeguards and sanctions to counter doxing, including conferring on the Privacy Commissioner statutory powers to require the removal of doxing content from social media platforms or websites, as well as carrying out criminal investigations and prosecutions.

What’s next?

Although there is currently no clear timeline for the proposed changes (improvements) to become law, it’s safe to say that Hong Kong’s existing personal data protection / privacy  laws lag some way behind international standards, and are really only paper tigers in the fight to protect personal data in the digital age. There may still be further amendments coming to the PDPO, but we expect Hong Kong’s Legislative Council to be giving a big nod to (and cut & paste) provisions of the European Union’s much more comprehensive and digital age-appropriate General Data Protection Regulation (GDPR).

Well-publicised recent doxing incidents should be a reminder of just how easily and quickly personal data can be leaked and misused. With the instant availability of an innumerable range of social media postings on never-ending social media platforms just a single click away, Hong Kong businesses should be prepared in good time before the introduction of these changes to the PDPO by putting in place effective compliance policies and procedures and staff training in order to identify any weaknesses in their existing data protection protocols, and to enable them to effectively and quickly address (almost inevitable) data breaches so as to minimise both business and reputational risk.

The creation and effective implementation of a bespoke data retention policy should mean that your Hong Kong business is ahead of the curve and ready to protect the data of all its employees, customers, suppliers and stakeholders.

For additional information on this Room 228 Newsletter, log onto the website of the Office of the Privacy Commissioner for Personal Data at


Please contact Kevin at or Sophia at if you have any questions about this Room 228 Newsletter.

This Newsletter is not intended to be and should not be relied on as legal advice. You should seek professional legal advice before taking any action in relation to the subject-matter of this Newsletter.




Join our newsletter

By clicking submit you agree to our
Data collection and use terms