Data & Privacy - Hong Kong

The PDPO (Cap. 486), in operation since December 1996, is a cross-sector law applying to any 'data user' that collects, holds, processes or uses personal data, structured around six Data Protection Principles in Schedule 1 (collection, accuracy/retention, use, security, transparency, and data access/correction).

The Office of the Privacy Commissioner for Personal Data (PCPD), established under s.5(1) of the Ordinance, is an independent statutory body that investigates complaints, issues enforcement notices, publishes codes of practice and promotes compliance.

Individuals have rights of access to and correction of their personal data, and may require a data user to cease using their data for direct marketing; the 2012 amendment added an explicit opt-out/consent regime for direct marketing.

Amendments effective 8 October 2021 criminalised doxxing in a two-tier structure (up to HK$1,000,000 fine and 5 years' imprisonment on indictment) and gave the Commissioner powers to conduct criminal investigations, prosecute, and issue cessation notices—including to non-Hong Kong platform operators.

Section 33, intended to restrict transfers of personal data outside Hong Kong absent adequacy safeguards, has never been brought into operation; there are currently no statutory cross-border restrictions, only voluntary PCPD best-practice guidance.

Following a comprehensive review, the government and PCPD have proposed enhancements—mandatory data-breach notification, data-retention policy requirements, administrative fines, and direct regulation of data processors. These were debated in LegCo in July 2025 but, as of May 2026, remain proposals rather than enacted law.