Hong Kong Plans to Revive Privacy Law Requiring Firms to Report Data Breaches

Hong Kong’s privacy framework has evolved dramatically since the 2017 “Apology Ordinance,” moving from basic consent rules toward a more robust data‑protection regime. Recent global incidents—from ransomware attacks in Europe to supply‑chain breaches in Asia—have pressured regulators worldwide to tighten disclosure obligations. By revisiting mandatory breach reporting, Hong Kong aims to close a regulatory gap that has left companies without clear incentives to disclose incidents promptly, thereby enhancing consumer trust and aligning the city with best‑practice jurisdictions such as the EU’s GDPR and Singapore’s PDPA.

The proposed amendment to the Personal Data (Privacy) Ordinance would require firms to notify the privacy commissioner within a defined timeframe after a breach, and to inform affected individuals when risks are significant. Penalties could range from fines to operational restrictions, but the government emphasizes a phased rollout to avoid stifling the vibrant business ecosystem. Lawmakers will receive detailed recommendations later this year, allowing stakeholders to weigh compliance costs against the benefits of heightened transparency. This consultative approach reflects lessons learned from the 2024 postponement, where concerns about competitive disadvantage halted progress.

For enterprises operating in Hong Kong, the revival of breach‑reporting mandates signals a shift toward greater accountability. Companies will need to invest in incident‑response capabilities, conduct regular risk assessments, and embed privacy‑by‑design principles into product development. Multinational firms may view the change as a positive step toward regulatory harmonisation, simplifying cross‑border compliance. However, smaller businesses could face resource strains, making the phased implementation crucial. Overall, the move positions Hong Kong as a more secure data hub, potentially attracting firms that prioritise robust privacy safeguards.