Skip to content

PCPD e-Newsletter

Facebook Youtube

A conversation with Ms Barbara Li from Norton Rose Fulbright on recent development of personal data privacy Law in the mainland of China

China’s cybersecurity regime is structurally diverse and is also in an ever-changing landscape. Owing to the multiplicity of regulations on protection of personal information in the mainland of China, enterprises looking for business ventures in this emerging market are encountering compliance challenges. One of the recent regulations is the Multi-Level Protection Scheme (MLPS, 網路安全等級保護制度) issued by the Ministry of Public Security in May 2019, which became effective on 1st December 2019. Not only does this regulation apply to IT networks, but also extends to Big Data, IoT, Cloud, Apps and others.

As a second episode of this special interview series, the editor of PCPD e-Newsletter talked with Ms Barbara Li, Partner of Norton Rose Fulbright, Beijing, who will share with us her perspective on development of personal data privacy law in the mainland of China and impacts on innovation and technology.

E: Editor of PCPD e-Newsletter
Barbara: Ms Barbara Li, Partner of Norton Rose Fulbright, Beijing

E: How would you describe the development of personal data privacy law in the mainland of China?

Barbara: China did not have a comprehensive personal data privacy law before the Cybersecurity Law. There were some general privacy provisions scattered in several administrative rules or policies and the issuance of the Cybersecurity Law turned a new chapter for the protection of personal data in China. The Cybersecurity Law is the first piece of legislation at national law level to impose legal requirements on network operators in relation to the collection and use of personal data. After the Cybersecurity Law came into effect on 1 June 2017, there have been a number of new laws, implementation regulations, specifications and industry standards, including draft rules which aim to further strengthen the protection of personal privacy in China. 
E: We have witnessed ample developments of innovation and technology in the mainland of China, especially in Artificial Intelligence and high-speed mobile data applications. How should the authority strike a balance between technological advancement and protection of personal data privacy?

Barbara: China is in a world leader in the deployment of emerging technologies such as face recognition, AI, IoT and big data in a wide range of industry sectors. The innovation and technology has brought about huge opportunities in developing new business models and creating new ecosystems, but at the same time it has given rise to new challenges in the areas of cybersecurity and personal privacy. The regulators in mainland China have made huge efforts to establish a middle ground between business interests and data protection. For example, the local governments in Beijing and Shanghai have recently launched the open data initiative. This is aimed at helping businesses to make use of open data to address big city problems such as pollution and traffic congestion. Meanwhile, businesses are being urged to adopt strict measures to ensure that the collection, use, processing and transfer of personal data complies with legal requirements to avoid abuse of personal data. Failure to comply with those requirements is sanctioned.

E: How could Hong Kong contribute to the development of further enhancement of legislation on personal data privacy in the mainland of China?

Barbara: With data protection being a global trend, regulators in mainland China are keeping close watch on data privacy regulatory developments around the world, including those in Hong Kong. Hong Kong was one of the first jurisdictions in Asia to introduce a data privacy law by promulgating the Personal Data (Privacy) Ordinance in 1996. Regulators and businesses in Hong Kong are therefore thought to possess much experience and expertise which Hong Kong can share with the mainland to help it augment and improve personal data protection and compliance.


Interviews with other experts on the subject will follow in this new series. Please stay tuned.

To review the first episode of “Special Interview Series” - A conversation with the Privacy Commissioner on regulations and laws on personal information protection in the mainland of China:

Click here



Professional Workshop - Data Protection and Data Access Request (16 January 2020)

Data Access Request (DAR) can arise in many situations. To name but a few, job applicants ask for recruitment documents relating to their unsuccessful applications; employees request previous appraisal reports; patients request their medical records. Dealing properly and effectively with DAR is a challenge for many organisations as there are stringent requirements for compliance with a DAR under Personal Data (Privacy) Ordinance. This workshop will examine in detail those requirements and offer guidance to participants on handling of DAR. Your questions will get answered during the workshop.

Key takeaways:

- What is DAR
- How to make a DAR
- What should a data user do in order to comply with a DAR
- Charges for a DAR
- Consequences of breach of the DAR provisions
- Data Ethics

Enrol now!



Introduction to the Personal Data (Privacy) Ordinance Seminar
Jan - Jun 2020 seminars is now open for enrolment!

To raise public's awareness and understanding of the Personal Data (Privacy) Ordinance, the PCPD organises introductory seminars on the Ordinance regularly. These seminars can familiarise you with the key elements of the Ordinance, in particular your obligations as data users and your rights as data subjects.

- A general introduction to the Personal Data (Privacy) Ordinance
- The six data protection principles
- Direct marketing
- Offences & compensation

Enrol now!

Placing Conspicuous CCTV Surveillance Notice to Protect Personal Data

PCPD has recently designed a sticker notice listing out essential information that should be conveyed to persons under surveillance. Organsations which operate CCTV systems may fill in relevant information on the notice and stick it at the entrance to the area under surveillance and inside the area under surveillance.

If you would like to get copies of the sticker notice, please email your name and address to PCPD will send the sticker notice to you by post. Click here to read the Personal Data Collection Statement. The sticker notices are available while stock lasts.

You may also download and print it yourself by clicking here.

Introduction to the Regulations in the Mainland of China Concerning Personal Information Involved in Civil and Commercial Affairs

A booklet entitled “Introduction to the Regulations in the Mainland of China Concerning Personal Information Involved in Civil and Commercial Affairs” (Chinese only) was published on 11 December 2019. PCPD hopes that organisations and enterprises having connections or business relationships with the mainland of China would benefit from the booklet, which helps them master relevant laws and regulations and understand the major updates when developing and applying big data, cloud computing, artificial intelligence and other technologies.

Read booklet (Chinese version only)

Privacy Commissioner Provides Updates on Doxxing and Cyberbullying: Reiterating Criminal and Social Liability of Doxxers and Assisting Platforms (23 December 2019)

Read media statement

New Membership of Standing Committee on Technological Development (19 December 2019)

Read media statement

Biggest data breaches of 2019: Same mistakes, different year [cnet]

The words "unsecured database" seemed to run on repeat through security journalism in 2019. Every month, another company was asking its customers to change their passwords and report any damage.

Read more

Trends In Information Technology, Privacy And Cybersecurity For The Next Decade [Forbes]

It is believed that the required skill sets for a successful IT professional will increase. Meanwhile, Privacy is gaining importance and is more than regulation, but most companies are not ready for it. Last but not least, Cybersecurity must become one of the top five risks for any organisation.

Read more

62% of breached data came from financial services in 2019 [CIO DIVE]

While contributing more than 60% exposed data this year, the financial services industry only accounted for 6.5% of data breaches. The industry has the second-highest cost per breached record, behind healthcare. In financial services, an average breach costs $210 per record, while in healthcare a breach can cost $429 per compromised record.

Read more

Hong Kong Lawyer December 2019 issue: Privacy Risks of Cloud Computing - by Mr Stephen Wong, Privacy Commissioner for Personal Data, Hong Kong

Cloud computing is becoming part of our life. Personal data privacy concerns for corporations in the use of cloud computing are largely related to the lack of control over the retention and security of personal data entrusted to the Cloud Services Provider. A corporation using cloud services should adopt some practical tips to manage its responsibility under the Personal Data (Privacy) Ordinance.

Read the article

Q. Can property managers record Hong Kong Identity Card numbers of visitors for security reason?

A: Collection of HKID Card number should be resorted to only after alternative means of verification is duly considered. The property manager should, wherever practicable, give the visitor the option to adopt other less privacy-intrusive alternatives.

Q. Since CCTV may capture extensive images of individuals, how should it be properly controlled to avoid intrusion into the privacy of individuals?

A: People should be explicitly informed that they are subject to CCTV surveillance. An effective way is to post conspicuous notices at the entrance to the monitored area and affix further notices inside the area as reinforcement. The notices should contain details of the data user operating the CCTV system, the specific purpose of surveillance and the person to whom matters relating to personal data privacy issues can be raised.

Extended Reading:
Facebook Post- Five Tips to be a smart property manager [Chinese Only]
Guidance on Property Management Practices

Data Protection Principle 2 (DPP2) – Accuracy and duration of retention of personal data

An insurance company issued a letter to an invalid address reported by the customer

The Complaint

The complainant was a customer of an insurance company. He was dissatisfied that after he had made a change of address request to the company, the insurance company still issued a letter to his invalid address to confirm the said request.


The insurance company stated that it was its usual practice to confirm customers’ change of address requests by sending letters to both the new and former addresses. Such practice was designed for fraud prevention, and avoiding change of address requests being made by third parties without the knowledge of the customers.

After the PCPD’s intervention, the insurance company revised its practice. Whenever it received address update requests, instead of using the former addresses, the insurance company would contact the customers by other means, such as SMS to confirm the requests. Besides, the insurance company undertook not to issue any letter to the complainant’s former address.

Extended Reading:
PCPD 2018-2019 Annual Report

Lessons learnt from cases handled by the PCPD

If you would like to find out more about the Commissioner's views on the application of the Ordinance in different situations, you may visit ‘Case Notes’ page of the PCPD website.

It is an easy-to-navigate data bank of summaries of different complaint/ enquiry case handled by the PCPD. To suit your need or interest, you can find out cases by provisions of the Ordinance, Data Protection Principles, or topics, etc.

Learn more

PCPD Youtube Channel- Think Privacy! Be Smart Online

You can find a series of educational videos and animations here promoting awareness of data privacy protection.

Learn more

For enquiry, please contact us.
Address: Room 1303, 13/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong         Tel: (852) 2877 7179

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.



The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.