Skip to content

Media Statements

Media Statement

Date:12 June 2020

The Second Anniversary of the GDPR Implementation
The Privacy Commissioner Revised the Booklet “European Union General Data Protection Regulation 2016”

The Privacy Commissioner for Personal Data, Hong Kong (PCPD) updated the booklet “European Union General Data Protection Regulation 2016”, taking stock of the implementation of the General Data Protection Regulation (GDPR) and the related cases, to assist organisations and businesses to better understand the implementation of the GDPR.  The revised booklet (“An Update on European Union General Data Protection Regulation 2016”) is a “2.0 version” of the 2018 issue.
The PCPD, Mr Stephen Kai-yi WONG, said, “Since the implementation of the GDPR in 2018, there has been a surge of data protection complaints in the European Union (EU) in the past two years.  My office also received over 280 GDPR enquiries from the public and a few GDPR-related complaints made by EU individuals against Hong Kong organisations during the same period, despite the fact that we have no jurisdiction over those complaint cases.  Hong Kong organisations and businesses with operations or businesses in the EU must remain vigilant about the heightened public expectation on data protection there.”
The PCPD added, “There have been cases of GDPR violations imposed with fines over the past two years and we should expect that more fines will be imposed in future.  So far the enforcement actions under the GDPR have mostly been taken against organisations and businesses with permanent establishments in the EU.  Nonetheless, Hong Kong organisations and businesses should not be lax in compliance if they fall within the jurisdiction of the law, even if they do not have a physical presence in the EU as the regulators may soon test their extra-territorial powers.”
“Despite the fact that the GDPR has been effective for two years and a number of guidelines have been issued, some teething problems persist. For example, some comments relate to the threshold of data breach notification being ambiguous and low.  Others relate to the fact that there does not exist guideline for administering administrative fines applicable across the EU.  That said, the GDPR has triggered a new round of legislative reforms around the world.  In the mainland, the Personal Information Security Specification is widely considered as a regulatory response to the GDPR.  In Hong Kong, we also made reference to the GDPR when reviewing the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong).  Convergence or defragmentation in data protection laws and standards on a global scale towards the higher water mark and putting individuals in better control of their personal data are gathering momentum.”
The major enhancements in this “2.0 version” of the booklet include an overview of the implementation of the GDPR in the past two years, with related guidelines explained and concrete examples drawn from official sources (i.e. the European Commission, European Data Protection Board and EU supervisory authorities) and significant sanction cases on GDPR quoted. 
The booklet “An Update on European Union General Data Protection Regulation 2016” can be downloaded from PCPD website. Print copies of the booklet will also be available after 22 June 2020. 
The GDPR has set a new high-water mark when it became effective on 25 May 2018.  Notable reforms brought by the GDPR include new and enhanced rights of individuals, accountability requirements on data controllers, sanctioning power of supervisory authorities and the extra-territorial application of the law.  Given the close economic ties between Hong Kong and the EU, the PDPC first published the booklet “European Union General Data Protection Regulation 2016” in March 2018 to enhance understanding and raise awareness of all stakeholders in Hong Kong on the law and its possible impact. 

Booklet: An Update on European Union General Data Protection Regulation 2016 (Effective 25 May 2018)