On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks.
On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks. It is proposed that a new Commissioner’s Office is to be established under the Government’s Security Bureau for the implementation of the proposed legislation.
On 11 June 2024, the Office of Privacy Commissioner for Personal Data published the “Artificial Intelligence: Model Personal Data Protection Framework” (“AI Framework”). The AI Framework aims to provide practical recommendations for organizations in their adoption of third-party AI systems to comply with the Personal Data (Privacy) Ordinance.
Regulatory measures came into force at the end of 2023 to facilitate cross-border transfers of personal data between Guangdong Province (“Guangdong”) and Hong Kong (“GBA Measures”). The recent relaxation of the cross-border data transfer (CBDT) regime at a national level may make the GBA Measures less appealing to some companies in the Chinese Mainland (“China” in this article, for the sake of brevity), but the GBA Measures will still be useful to companies which operate in Hong Kong and Guangdong that need to transfer sensitive personal data or large volumes of personal data across the Greater Bay Area, such as those in the healthcare and financial sectors, or those with a large base of data subjects in Guangdong and a regional office in Hong Kong that conduct cross-border transfers of personal data (e.g., customer data) on a regular basis.
Hong Kong’s data privacy law, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), has been amended to introduce “anti-doxxing” provisions. The new regime creates offences to curb doxxing acts, and empowers the Privacy Commissioner for Personal Data (“Commissioner”) to carry out criminal investigations, institute prosecutions and issue cessation notices. The changes came into effect on 8 October 2021.
Hong Kong’s data privacy law, the Personal Data (Privacy) Ordinance, has been amended to introduce “anti-doxxing” provisions. The new regime creates offences to curb doxxing acts, and empowers the Privacy Commissioner for Personal Data to carry out criminal investigations, institute prosecutions and issue cessation notices. The changes came into effect on 8 October 2021. The Commissioner made its first arrest under the doxxing regime on 13 December 2021.