Skip to main content
Featured Topics
Featured Insights
View All Services
View All Industries
About Us Overview
    • Home
    • Insights
    • Urban Renewal Authority Data Breach Incident Prompts Update of Guidance on Cloud Computing by the Privacy Commissioner for Personal Data in Hong Kong
      April 2025

      Urban Renewal Authority Data Breach Incident Prompts Update of Guidance on Cloud Computing by the Privacy Commissioner for Personal Data in Hong Kong

      Authors:
      Generate PDF
      Share

      A recent data breach incident suffered by the Urban Renewal Authority ("URA") involving the personal data stored on a cloud platform that was accessible without authentication prompted an investigation by the Office of the Privacy Commissioner of Personal Data ("PCPD") in Hong Kong. The URA had failed to take all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use. The incident prompted the PCPD to update the “Guidance on Cloud Computing”, which sets out the recommended measures to safeguard personal data privacy for organisations that use cloud services.

      Background of the Data Breach Incident

      On 13 May 2024, the URA notified a data breach to the PCPD involving personal data stored on their cloud platform which could be accessed without authentication. The PCPD found that the URA had used an outdated software for its e-Form Platform without adequate data protection safeguards. This incident affected the personal data of 199 individuals who had signed up for URA briefing sessions. The data included telephone numbers, names, ownership details, and some correspondence addresses.

      Key Findings

      The PCPD identified two key aspects that contributed to the data incident:

      1. The URA did not check whether the e-Form Platform software used was the latest version, and did not update the software in a timely manner.
      2. There was lack of understanding of the software by URA staff who collected personal data, and the URA did not conduct sufficient security testing for the use of the software, such that they omitted some key functions in the security check of the forms, and were unable to detect the security gap in a timely manner.

      The PCPD determined that the URA contravened DPP 4(1) of the Personal Data (Privacy) Ordinance ("PDPO") by failing to put in place adequate safeguards to ensure the security of personal data under its control.

      PCPD updated Guidance on Cloud Computing

      Given the URA data breach and the fast adoption of cloud computing services in Hong Kong, the PCPD found it necessary to revise her "Guidance on Cloud Computing".

      The PCPD's main recommendations to companies that use cloud services are that they should:

      • take note of updates of the cloud services provided by the cloud service providers, and update their software and/or adjust the configurations in their system in a timely manner;
      • carefully evaluate the responsibilities and measures required to ensure adequate protection of personal data privacy;
      • take extra precaution when using Software as a Service (SaaS) and mitigate data security risks given that when using such services it may be more challenging for them to directly control the personal data they are responsible for;
      • take care when using services provided on non-negotiable standard contract terms and if their standard security level or data protection standards offered fall below an organisation's requirements, ask for customised services and negotiate contract terms to fit and address their specific security requirements;
      • seek ways to verify the data protection and security measures implemented by cloud service providers, for instance, through declarations or audit reports;
      • have contractual safeguards from cloud service providers who use sub-contractors to make sure that the sub-contractors will adhere to the same level of protection and have compliance controls equivalent to those of the cloud service provider;
      • include a contractual provision that requires cloud service providers (and its sub-contractors) to notify data users of a data breach as soon as possible. A mandatory notification will help data users to quickly address breaches including notifying the PCPD and affected individuals and taking other remedial action;
      • be cautious when making decisions to store or process data at offshore data centres, as local laws may apply when cloud service providers with data centres in various jurisdictions transfer personal data across borders;
      • comply with the PDPO and the six DPPs when transferring data abroad. In particular, data users should inform data subjects about the class of data recipient(s) (including those which is/are located outside Hong Kong) and the purpose for which the data is to be used. Data users should also obtain data subjects’ prescribed consent if the data will be used (or transferred outside Hong Kong) for a new purpose unless a relevant exemption under PDPO applies. Data users which engage data processor (who process personal data on their behalf within or outside Hong Kong) must also adopt contractual or other means to prevent personal data being held longer than is necessary, and prevent unauthorised or accidental access, processing, erasure, loss or use of such data.
      • obtain information from cloud service providers about specific locations or jurisdictions where the data will be stored or processed so that this information may be relayed to data subjects;
      • select or specify jurisdictions that offer sufficient legal and regulatory protection for personal data as the location of the cloud, when contracting with an outsourced provider. For example, these jurisdictions should have regulatory frameworks substantially similar to the regulatory framework in Hong Kong;
      • assume full responsibility for safeguarding personal data. Outsourcing the processing or storage of personal data does not diminish data user's legal obligation to protect the personal data; and
      • provide adequate and clear notification to customers in personal information collection statement and/or privacy policy, informing customers that their personal data storage and/or processing will be outsourced to a cloud service provider, and that their personal data may be stored or processed in a different jurisdiction.

      Conclusion

      The PCPD emphasised the “shared responsibility” between organisations using cloud computing services and cloud service providers in safeguarding data security within a cloud environment. Data users which use cloud computing services should refer to the updated Guidance and its recommendations to ensure better compliance with the PDPO.

      The authors would like to thank Charmian Chan, Trademark Assistant at Mayer Brown Hong Kong LLP, for her assistance with this article.

      Authors

      Related Content

      Related Services & Industries

      Stay Up To Date With Our Insights

      See how we use a multidisciplinary, integrated approach to meet our clients' needs.
      Subscribe

      Follow us

      © 2025 Mayer Brown

       

       

      Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Mayer Brown Hong Kong LLP operates in temporary association with Johnson Stokes & Master (“JSM”). More information about the individual Mayer Brown Practices, PKWN and the association between Mayer Brown Hong Kong LLP and JSM (including how information may be shared) can be found in the Legal Notices section of our website.

      “Mayer Brown” and the Mayer Brown logo are trademarks of Mayer Brown.

      Attorney Advertising. Prior results do not guarantee a similar outcome.