Hong Kong’s data breach notification framework - inadequacies and corrective actions required

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

View graph of relations


Related Research Unit(s)


Original languageEnglish
Pages (from-to)69-96
Journal / PublicationAsia Pacific Law Review
Issue number1
Online published15 Oct 2020
Publication statusPublished - 2020


Data breaches resulting from information security failures continue to be a matter of pressing concern. Given the increasing number of compromised data security incidents globally, data breach notification has emerged as an issue of increasing urgency. In response, breach notification laws have been enacted to ensure individuals are appropriately informed when their personal identifiable information has been compromised, so as to enable affected individuals to mitigate any harm so arising. Mandatory data breach notification laws are an important development in this regard. Such laws mandate that an organization that has suffered a data breach involving personal identifiable information shall notify affected individuals and in some cases, regulators. This article argues that for Hong Kong to maintain its rightful place across international norms, as a modern, legally and commercially trustworthy and reliable jurisdiction, and at the same time continues to assure its citizens that the confidentiality of their personal identifiable information is secure, a mandatory approach to data breach notification needs to be implemented.

Research Area(s)

  • data breach, elements of data breach notification, critiques of notification law, deficiencies of Hong Kong existing framework