Feel strongly about these letters, or any other aspects of the news? Share your views by emailing us your Letter to the Editor at [email protected] or filling in this Google form. Submissions should not exceed 400 words.
Your editorial, “Breaches reveal worrying gaps in Hong Kong’s data defences” (
April 10), rightly warns that data security failures threaten Hong Kong’s innovation hub ambitions. Recent incidents include the data leak involving more than
56,000 patients served by the Hospital Authority and a breach affecting
6,800 staff of the Correctional Services Department. In 2025, there was a
21 per cent rise in data breach cases recorded by the Office of the Privacy Commissioner for Personal Data compared to the previous year, with hacking being the primary cause.
All this points to a system under real strain. However, the editorial doesn’t touch on a core issue. Hong Kong
still lacks a mandatory data breach notification law. Currently, organisations are only advised, not required, to report leaks to the privacy commissioner. There is no penalty for silence and no legal duty to tell victims.
The solution is proven. Australia saw breach notifications surge in the first year of its mandatory reporting regime, with notification costs just a small fraction of a breach’s total cost.
Hong Kong itself has shown that mandatory rules work. The city introduced its anti-doxxing law in 2021. Since 2023-24, the number of cases has fallen sharply. Proactive patrols have uncovered far fewer doxxing cases.
This matters beyond privacy. The nation’s 15th five-year plan commits to supporting Hong Kong in building an international hub for innovation and technology. Yet mainland China’s Personal Information Protection Law, the European Union’s General Data Protection Regulation and Singapore’s Personal Data Protection Act all mandate breach reporting. Hong Kong relies on a form and a hope.
Source link
