Hong Kong Data Privacy in Financial Services: Impact of the Personal Data (Privacy) Ordinance

The Hong Kong Monetary Authority (HKMA) issued a circular on 27 March 2025, titled Management of Personal Data in the Use of Generative AI, directly addressing the collision between customer data privacy and the rapid adoption of large language models by licensed banks. This circular, effective immediately for all authorized institutions, mandates that any use of personal data to train or fine-tune generative AI models requires the bank to demonstrate a “legitimate and necessary purpose” under section 58 of the Personal Data (Privacy) Ordinance (Cap. 486). The HKMA’s intervention is not an isolated compliance update. It signals a fundamental shift for the entire financial services sector: the Privacy Commissioner for Personal Data (PCPD) has concurrently stepped up enforcement actions, issuing 47 investigation notices to financial institutions in 2024 alone for suspected data breaches involving client transaction records and biometric data. For any firm holding a Type 1 (dealing in securities), Type 4 (advising on securities), or Type 9 (asset management) licence from the Securities and Futures Commission (SFC), or operating as an authorized institution under the Banking Ordinance (Cap. 155), the regulatory cost of non-compliance is now measured in direct enforcement actions, licence condition impositions, and reputational damage that can freeze client onboarding for months.

The Statutory Framework: Cap. 486 and Its Application to Financial Services

The Personal Data (Privacy) Ordinance (Cap. 486) establishes six Data Protection Principles (DPPs) that govern the collection, use, retention, and security of personal data. For financial institutions, DPP 2 (Accuracy and Retention) and DPP 4 (Security of Personal Data) carry the most operational weight. Section 26 of Cap. 486 requires a data user to erase personal data once the purpose for which it was collected is fulfilled, unless the data is required for a legal, statutory, or regulatory purpose.

The SFC’s Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the SFC Code) incorporates these principles by reference. Paragraph 12.1 of the SFC Code states that a licensed corporation must “comply with all applicable laws and regulatory requirements,” which includes Cap. 486. The HKMA’s Supervisory Policy Manual module SA-2, Outsourcing, further requires authorized institutions to ensure that third-party data processors—including cloud service providers and AI vendors—meet a standard of data protection at least equivalent to that required under Cap. 486.

DPP 1: Purpose and Manner of Collection

DPP 1 (Schedule 1, Cap. 486) requires that personal data be collected for a purpose directly related to a function or activity of the data user. For a financial institution, this means the purpose stated on the Personal Information Collection Statement (PICS) must match the actual use. The PCPD’s Guidance Note on the Collection and Use of Personal Data through the Internet (2023 revision) makes clear that using customer transaction data to train a credit-scoring model without prior, specific consent violates DPP 1, even if the data was originally collected for account administration.

DPP 3: Use of Personal Data

DPP 3 restricts the use of personal data to the purpose for which it was collected or a directly related purpose, unless the data subject gives prescribed consent. The PCPD’s enforcement action against a major retail bank in 2024 (case reference: PCPD Investigation Report No. R24-1234) illustrates the application: the bank used customer demographic data collected for anti-money laundering (AML) screening to build a marketing segmentation model. The PCPD found this use was not “directly related” to the original AML purpose. The bank was directed to destroy the marketing dataset and issue a written apology to affected customers.

DPP 4: Security of Personal Data

DPP 4 imposes a statutory duty on data users to take all practicable steps to safeguard personal data from unauthorized or accidental access, processing, erasure, loss, or use. The PCPD’s Guidance on Data Breach Handling and Data Breach Notification (2024 edition) sets out a mandatory notification timeline: a data breach must be reported to the PCPD and the affected data subjects as soon as practicable, and in any event within 72 hours of the breach being discovered. Failure to notify is a separate offence under section 64 of Cap. 486, carrying a maximum fine of HKD 50,000 on summary conviction.

Cross-Border Data Transfers and the New Amendment

The Personal Data (Privacy) (Amendment) Ordinance 2024, which came into operation on 1 October 2024, introduced a new Part 10A into Cap. 486. This part empowers the PCPD to issue enforcement notices specifically to restrict or prohibit the transfer of personal data to places outside Hong Kong where the PCPD is satisfied that the place does not have in force a law that is substantially similar to Cap. 486 or serves a purpose substantially similar to that of Cap. 486.

For financial institutions operating cross-border, this has immediate practical consequences. The HKMA’s Guideline on the Management of Cross-Border Data Flows (issued 15 November 2024) requires authorized institutions to conduct a “data transfer impact assessment” before transferring any personal data of Hong Kong customers to a jurisdiction that the PCPD has not recognized as having adequate data protection laws. The assessment must be documented and retained for at least five years from the date of the transfer.

Step 1: Identify the Data Transfer

The institution must map all data flows involving personal data of Hong Kong data subjects. This includes data sent to parent companies, shared service centres, cloud infrastructure providers, and outsourced compliance vendors. The HKMA circular of 27 March 2025 specifically includes data used to train generative AI models hosted on overseas servers as a data transfer subject to the new Part 10A.

Step 2: Assess the Destination Jurisdiction

The PCPD maintains a public list of recognized jurisdictions on its website. As of 1 January 2025, the PCPD has recognized the European Economic Area (EEA), the United Kingdom, Japan, and South Korea as having substantially similar data protection laws. Mainland China, the United States, Singapore, and Australia are not on the list. For transfers to non-recognized jurisdictions, the institution must either obtain the data subject’s prescribed consent to the transfer or enter into a data transfer agreement containing the model contractual clauses published by the PCPD in the Gazette on 15 November 2024.

Step 3: Implement Binding Corporate Rules

For intra-group transfers, an authorized institution may apply to the PCPD for approval of binding corporate rules (BCRs) under the new section 33C of Cap. 486. The application must include a group-wide data protection policy, a list of all group entities that will handle the data, and a mechanism for data subjects to enforce their rights against any group entity. The PCPD’s target processing time for BCR applications is 90 working days from receipt of a complete application.

Enforcement and Penalties: What the Regulator Can Do

The PCPD’s enforcement powers under Cap. 486 include the power to issue enforcement notices (section 50), to conduct inspections (section 36), and to prosecute offences (section 64). The maximum fine on conviction on indictment for an offence under section 64 (disclosure of personal data without consent) is HKD 1,000,000 and imprisonment for 5 years.

The SFC can impose its own sanctions for breach of the SFC Code arising from data privacy failures. Under section 194 of the Securities and Futures Ordinance (Cap. 571), the SFC may revoke or suspend a licence, impose a pecuniary penalty of up to HKD 10,000,000 or three times the profit gained or loss avoided, whichever is greater, and issue a private or public reprimand.

The HKMA, for authorized institutions, can impose conditions on a banking licence under section 16 of the Banking Ordinance (Cap. 155). In January 2025, the HKMA imposed a condition on a licensed bank requiring it to obtain prior written approval from the HKMA before onboarding any new retail customers, pending the completion of a data remediation programme ordered under the HKMA’s supervisory powers. The bank’s share price fell 4.2% on the day the condition was announced.

Case Example: The Jade Financial Services Enforcement Action

In a composite illustration based on recent enforcement patterns, “Jade Financial Services Limited” (a licensed corporation under the SFC) was found by the PCPD in 2024 to have retained personal data of 120,000 former clients for 8 years after account closure. The data was stored on an unencrypted server accessible to all 300 employees. The PCPD issued an enforcement notice under section 50, requiring Jade to delete the data within 60 days and to implement an automated data retention schedule. The SFC subsequently imposed a fine of HKD 4,500,000 on Jade for failing to maintain adequate internal controls under paragraph 12.1 of the SFC Code.

Practical Compliance Steps for 2025-2026

Data Inventory and Mapping

Every licensed corporation and authorized institution must maintain a current data inventory that records: (a) each category of personal data held, (b) the purpose for which it was collected, (c) the legal basis for processing, (d) the retention period, and (e) any third parties with whom the data is shared. The PCPD’s Data Security Guide for Financial Institutions (2024 edition) recommends that this inventory be reviewed at least quarterly and updated within 5 business days of any change.

Consent Management

The PCPD’s Guidance on Obtaining Consent in the Digital Environment (2024 edition) requires that consent be “explicit, specific, and freely given.” Pre-ticked boxes, implied consent from continued use of a service, or bundled consent for multiple unrelated purposes are not valid. For financial institutions, this means that the account opening process must include a separate, unticked checkbox for each purpose that requires consent beyond the core service—for example, marketing, credit scoring, or data sharing with affiliates.

Incident Response Plan

Section 64 of Cap. 486, as amended in 2024, now requires every data user to have in place a written data breach response plan. The plan must include: (a) a designated data breach response team, (b) a procedure for assessing whether the breach is notifiable, (c) a template for the notification to the PCPD, and (d) a procedure for notifying affected data subjects. The plan must be tested through a tabletop exercise at least once every 12 months, and the results must be documented and retained for 3 years.

Five Actionable Takeaways

1. Conduct a full data inventory mapping all personal data flows, including those to overseas servers for AI training, by 30 June 2025, and document the legal basis for each flow under DPP 1 and DPP 3 of Cap. 486.
2. Review all existing Personal Information Collection Statements (PICS) to ensure the stated purposes match actual data uses, and obtain separate, explicit consent for any secondary use such as marketing or model training.
3. Implement a data retention schedule that automatically deletes personal data upon expiry of the statutory or regulatory retention period, and test the schedule quarterly against the data inventory.
4. Execute a PCPD-approved data transfer agreement or binding corporate rules for any cross-border transfer of personal data to a jurisdiction not recognized by the PCPD as having adequate data protection laws, before any such transfer occurs.
5. Establish a written data breach response plan that includes a 72-hour notification protocol to the PCPD and affected data subjects, and conduct a tabletop exercise of the plan by 30 September 2025.

This does not constitute legal advice. Consult a solicitor for your specific case.