Data & Privacy · Hong Kong
Data protection & privacy laws in Hong Kong (2026)
Hong Kong shaded by its data & privacy status
Hong Kong has a comprehensive, technology-neutral data-protection law, the Personal Data (Privacy) Ordinance (Cap. 486), in force since 1996 and pre-dating the GDPR. It is built on six Data Protection Principles covering the full data lifecycle and is enforced by an independent statutory regulator, the Privacy Commissioner for Personal Data. The regime was strengthened by 2012 (direct-marketing) and 2021 (anti-doxxing) amendments, and a further package—including mandatory breach notification and administrative fines—is under active review but not yet enacted.
Key points
The PDPO (Cap. 486), in operation since December 1996, is a cross-sector law applying to any 'data user' that collects, holds, processes or uses personal data, structured around six Data Protection Principles in Schedule 1 (collection, accuracy/retention, use, security, transparency, and data access/correction).
The Office of the Privacy Commissioner for Personal Data (PCPD), established under s.5(1) of the Ordinance, is an independent statutory body that investigates complaints, issues enforcement notices, publishes codes of practice and promotes compliance.
Individuals have rights of access to and correction of their personal data, and may require a data user to cease using their data for direct marketing; the 2012 amendment added an explicit opt-out/consent regime for direct marketing.
Amendments effective 8 October 2021 criminalised doxxing in a two-tier structure (up to HK$1,000,000 fine and 5 years' imprisonment on indictment) and gave the Commissioner powers to conduct criminal investigations, prosecute, and issue cessation notices—including to non-Hong Kong platform operators.
Section 33, intended to restrict transfers of personal data outside Hong Kong absent adequacy safeguards, has never been brought into operation; there are currently no statutory cross-border restrictions, only voluntary PCPD best-practice guidance.
Following a comprehensive review, the government and PCPD have proposed enhancements—mandatory data-breach notification, data-retention policy requirements, administrative fines, and direct regulation of data processors. These were debated in LegCo in July 2025 but, as of May 2026, remain proposals rather than enacted law.
Timeline - major decisions & events
The Privacy Commissioner published a checklist to help organisations craft internal policies governing staff use of GenAI tools in compliance with the PDPO, extending its AI governance push to the workplace.
PCPD ↗Investigation into a ransomware attack exposing personal data of ~550,000 individuals led to an enforcement notice against Oxfam Hong Kong; the office also reported a near-30% rise in breach notifications (203 in 2024).
PCPD ↗Proposed amendments under discussion would add a mandatory data-breach notification mechanism, data-retention policy requirements, and power for the PCPD to levy administrative fines — the most significant overhaul since 2021, expected to phase in toward 2026.
Chambers and Partners ↗Hong Kong's first comprehensive AI-specific guidance set out a risk-based framework (three core values, seven ethical principles) for procuring, implementing and using AI, including generative AI, under the PDPO.
PCPD ↗Criminalised non-consensual disclosure of personal data via a two-tier offence (up to 5 years' jail and HK$1m fine), and empowered the Commissioner to conduct criminal investigations, prosecute, and issue cessation notices to local and overseas platforms.
PCPD ↗Following a 2018 breach exposing data of ~9.4 million passengers, the Commissioner found Cathay breached data-security and data-retention principles and ordered system overhauls, multi-factor authentication, and erasure of unnecessary ID data.
PCPD ↗Major amendments took effect adding strict consent/opt-out rules and criminal penalties for misuse of personal data in direct marketing, plus enhanced enforcement powers and a legal assistance scheme — prompted largely by the Octopus scandal.
HK e-Legislation ↗The Commissioner found Octopus had sold the personal data of nearly 2 million cardholders for ~HK$44m and collected excessive data, breaching data-protection principles; the scandal triggered the CEO's resignation and the 2012 law reform.
PCPD ↗The Ordinance's main provisions and six Data Protection Principles took effect, with the Office of the Privacy Commissioner for Personal Data (established August 1996) as the independent regulator under the first Commissioner, Stephen Lau.
PCPD ↗Hong Kong - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →