The latest data privacy developments in Hong Kong deliver important reminders to businesses—from stricter cloud compliance, to costly breaches, and post-M&A data-sharing risks. This update highlights some recent regulatory developments, real-life incidents, and actionable steps to strengthen your privacy safeguards, as well as provides some insights and recommendations in an increasingly complex digital landscape.
Privacy Commissioner Updates Cloud Computing Guidance
The Privacy Commissioner for Personal Data (PCPD) issued updated Guidance on Cloud Computing in January 2025, reinforcing stringent obligations for businesses under Hong Kong’s Personal Data (Privacy) Ordinance (PDPO). Organizations using cloud services—whether private, public, SaaS, IaaS, or PaaS—remain legally accountable for data protection, even if breaches originate from third-party providers. Key recommendations in the guideline include encrypting data (both at rest and in transit), enforcing multi-factor authentication, auditing subcontractors’ security practices, and negotiating enhanced contractual protections beyond standard vendor terms. The Guidance also stresses the importance of detailed access logging, monitoring, and secure data erasure or return upon contract termination.
Notably, cross-border data transfers—common in cloud environments—require careful adherence to PDPO principles, including clear notifications to data subjects. Default cloud contracts often favour providers, leaving businesses exposed to breaches, regulatory penalties, and reputational harm if due diligence is neglected.
It is important to mitigate these risks by carefully reviewing cloud agreements, ensuring cross-border compliance, and implementing technical and legal safeguards. For full details of the Guidance, visit PCPD’s website.
Recent Data Breach Incidents
With data breach incidents on the rise, a number of recent reported data breaches—including those affecting ImagineX Management Company Limited, Oxfam Hong Kong, and an international fashion chain—highlight critical vulnerabilities that many businesses may be susceptible to. Common failures across these cases include outdated systems, lack of multi-factor authentication, delayed security patches, inadequate monitoring, and excessive data retention, leading to ransomware attacks, unauthorized access, and large-scale data exposure.
These incidents emphasize the critical need for taking proactive steps in cybersecurity, such as regular system audits, timely software updates, strict access controls, and robust data retention policies.
Businesses should identify vulnerabilities, implement compliance frameworks, conduct regular security risk assessments, and staff training, as well as drafting enforceable data protection policies and contractual terms with third party services providers to prevent breaches as well as allocating responsibility and liability. Businesses should also have a comprehensive data breach response plan in place in case of a breach.
Data Sharing Risks After Mergers & Acquisitions
A recent ruling of the Administrative Appeal Board (AAB) highlights the legal risks of cross-brand data sharing within corporate groups, particularly after mergers or acquisitions. The AAB found that pre-acquisition customer data should not be freely accessed by other brands in the group without notifying, or obtaining consent from, existing clients whose data was collected prior to the acquisition, even if they are under the same parent company.
Businesses should notify the data subject at the time of data collection, that the data may be shared amongst, or used by, other group companies, as well as the purposes of such use. If the other group companies may use the data for direct marketing, customer consent must be obtained for such use, or for any transfer of that data for direct marketing purposes. If this has not been done, businesses must ensure that legacy data remains restricted to its original purpose, unless they are able to obtain customers’ specific consent to the use of their data for a new purpose or for any direct marketing. A breach of direct marketing requirements amounts to a criminal offence.
To mitigate risks, businesses should conduct a compliance review to audit data flows, update consent mechanisms for pre-acquisition customers, including drafting tailored consent frameworks, implement strict access controls (e.g., role-based restrictions) in integrated systems, and consider technical safeguards to prevent unauthorized data sharing.
Want to know more?
Deacons has substantial experience in assisting clients with all aspects of data security compliance and implementation, including training, review and preparation of personal data collection statements, obtaining appropriate consents for direct marketing, as well as advising on overall strategy and obtaining consents for data transfer after a sale/merger of businesses. We have also successfully assisted many clients with handling a data breach in the most effective way to minimize damage and liability. Please feel free to reach out to us should you require more information or assistance.
For further information, please contact:
Eliza Siew, Deacons
eliza.siew@deacons.com
