What is the Hong Kong data breach law being revived?

Hong Kong’s privacy regulator plans to consult lawmakers on reviving PDPO amendments that would mandate data breach reporting and add administrative fines, potentially in phases. Details like reporting thresholds, deadlines, and fine levels are pending consultation. Companies should expect faster notice to authorities and affected users, plus stronger documentation of incident response and security controls.

Who will be in scope of the proposed changes?

Any organization that handles Hong Kong personal data is likely to be in scope, including US multinationals, regional subsidiaries, cloud providers, and processors supporting Hong Kong users. Sector-specific exemptions have not been outlined. Firms should assess data flows, processor roles, and contracts to prepare for PDPO amendments and mandatory breach reporting requirements.

What penalties could apply under the amendments?

The plan includes administrative fines, with exact caps and calculation methods to be defined during the legislative process. Companies should expect closer oversight of breach management, record-keeping, and safeguards. Well-documented security programs and timely reporting typically mitigate risk. Monitor consultation papers for final numbers, grace periods, and any sector-based adjustments.

How should US companies prepare in 2026?

Start a 90-day program: map personal data and transfers, test incident detection and triage, draft notification templates, and rehearse with legal counsel. Update vendor contracts for breach timing and audit rights. Standardize evidence retention and metrics. Align global controls to Hong Kong data protection needs so you can act quickly when deadlines and thresholds are finalized.

Law and Government

February 07: Hong Kong Revives Mandatory Data Breach Reporting Plan

ByHuzaifa Zahoor February 8, 2026February 8, 2026

Hong Kong data breach law is back on the agenda, with the privacy regulator set to consult lawmakers on reviving PDPO amendments that would mandate breach reporting and introduce administrative fines, possibly in phases. For US companies with Hong Kong operations, this raises near-term compliance and penalty risk. We break down likely changes, sector exposure, and a simple playbook to prepare. The move aligns Hong Kong data protection with global norms and could influence cybersecurity budgets, vendor oversight, and disclosure practices in 2026.