On 19 March 2025, Hong Kong’s Legislative Council enacted the Protection of Critical Infrastructures (Computer Systems) Bill, which was gazetted as the Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) on 28 March 2025. The Ordinance, which is set to take effect on 1 January 2026, aims to enhance cybersecurity standards in relation to the providers of essential services in eight sectors deemed crucial to the normal functioning of the society, namely energy, information technology, banking and financial services, air transport, land transport, maritime transport, healthcare services, and telecommunications and broadcasting services, as well as critical societal or economic activities (such as those managing major sports and performance venues, as well as research and development parks) in Hong Kong.

The Hong Kong Government has published on 6 December 2024 a draft of the Protection of Critical Infrastructures (Computer Systems) Bill (“Bill”), marking a significant step towards enhancing cybersecurity standards in relation to essential services and critical societal or economic activities in Hong Kong. This Bill aims to protect the security of the critical computer systems (CCSs) of critical infrastructures (CIs), to regulate operators of CIs (i.e., critical infrastructure operators (CIOs)) and to provide for the investigation into, and response to, computer-system security threats and incidents.

While this article was published, the Security Bureau of the Hong Kong Government announced that the Protection of Critical Infrastructure (Computer System) Bill will be gazetted on Friday, 6 December 2024, and will be introduced into the Legislative Council for First Reading and Second Reading on 11 December 2024. We will provide an update on further developments.

On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks.

On 25 June 2024, the Government proposed to enact a new piece of cybersecurity legislation, tentatively entitled the Protection of Critical Infrastructure (Computer System) Bill, to enhance the protection of computer systems of critical infrastructures (CIs). On 2 July 2024, the proposed legislative framework was tabled to the Legislative Council Panel on Security for consultation. The proposed legislation would require CI operators to fulfill certain statutory obligations and take appropriate measures to strengthen the security of their critical computer systems and minimize the chance of essential services being disrupted or compromised due to cyberattacks. It is proposed that a new Commissioner’s Office is to be established under the Government’s Security Bureau for the implementation of the proposed legislation.

On 11 June 2024, the Office of Privacy Commissioner for Personal Data published the “Artificial Intelligence: Model Personal Data Protection Framework” (“AI Framework”). The AI Framework aims to provide practical recommendations for organizations in their adoption of third-party AI systems to comply with the Personal Data (Privacy) Ordinance.

Regulatory measures came into force at the end of 2023 to facilitate cross-border transfers of personal data between Guangdong Province (“Guangdong”) and Hong Kong (“GBA Measures”). The recent relaxation of the cross-border data transfer (CBDT) regime at a national level may make the GBA Measures less appealing to some companies in the Chinese Mainland (“China” in this article, for the sake of brevity), but the GBA Measures will still be useful to companies which operate in Hong Kong and Guangdong that need to transfer sensitive personal data or large volumes of personal data across the Greater Bay Area, such as those in the healthcare and financial sectors, or those with a large base of data subjects in Guangdong and a regional office in Hong Kong that conduct cross-border transfers of personal data (e.g., customer data) on a regular basis.

The introduction of the Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (comprising a set of standard contractual clauses, GBA SCC), together with its Implementation Guidelines marks a significant milestone in facilitating cross-border data flows between major cities in Guangdong province and Hong Kong, key cities in the Greater Bay Area (GBA). It provides an alternative to the existing requirements under the Personal Information Protection Law of the PRC to use one of three methods for transferring personal data outside of mainland China, namely by use of China standard contractual clauses (China SCC), obtaining certification from professional institutions and, if certain types of data are to be transferred or data quantity thresholds are met, submitting to a government-led security assessment review.

In June 2023, the Office of the Privacy Commissioner for Personal Data issued an updated Guidance on Data Breach Handling and Data Breach Notifications (“Guidance”). The Guidance updates a non-binding, end-to-end framework for data users to tackle data breaches, including recommended elements that go into a data breach response plan, questions that need to be addressed in the course of investigating a data breach incident, how to make a data breach notification and tips for preventing recurrence of data breaches.

In recent months, generative artificial intelligence has taken the world by storm.  Following plans to offer generative AI products announced by Chinese companies, the Cyberspace Administration of China released on 11 April 2023 the Measures for the Management of Generative Artificial Intelligence Services for public consultation. Following the consultation period, the interim measures were published on 13 July and take effect on 15 August.