The key legislation in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong).

The key legislation governing privacy in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“PDPO”).  The PDPO has been in force since 1996.  It was amended in 2013 to introduce provisions relating to direct marketing and in 2021 to introduce new offences relating to doxxing.
The PDPO allows the Privacy Commissioner to issue guidance on how the Privacy Commissioner intends to interpret the provisions of the PDPO and a number of Codes of Practice have been issued including the Code of Practice on Identity Card Number and other Personal Identifiers, the Code of Practice on Human Resources Management, and the Code of Practice on Consumer Credit Data.  Non-compliance with a code of practice itself is not an offence but can be a proof of contravention of the relevant requirement under PDPO.
The Privacy Commissioner also issues “Guidance Notes” which include the Checklist on Guidelines for the Use of Generative AI by Employees, Guidance on Collection and Use of Biometric Data, CCTV Surveillance and Use of Drones, Data Breach Handling and the Giving of Breach Notifications, Direct Marketing, and Guidance on Personal Data Protection in Cross-border Data Transfer.  
These Guidance Notes do not have the force of law but a failure to follow them will be taken into account in assessing whether there has been a breach of the PDPO.  
For a full list of current Guidance Notes please check Guidance Notes/ Reports.

Decisions applying the legislation may be contained in court judgments, Administrative Appeals Board (AAB) decisions and the Privacy Commissioner’s own Case Notes and investigation reports.  Relevant decisions include what constitutes personal data, interpretation of the data protection principles, direct marketing offences, and exemptions under the PDPO.  It is not practical to list all key cases but some of the more significant decisions are Eastweek Publisher Limited & Anor v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83, Cathay Pacific Airways Ltd v Administrative Appeal Board & Anor [2008] 5 HKLRD 539, Octopus Rewards Investigation (2010) (R10-4422), HKSAR v Hong Kong Broadband Network Limited [2018] 2 HKLRD 1049, X v Privacy Commissioner for Personal Data (Appeal No. 15/2019), and Worldcoin Project Investigation (2024) (R24-1335).

Decisions applying the legislation may be contained in court judgments, Administrative Appeals Board (AAB) decisions and the Privacy Commissioner’s own Case Notes and investigation reports.  Relevant decisions include what constitutes personal data, interpretation of the data protection principles, direct marketing offences, and exemptions under the PDPO.  It is not practical to list all key cases but some of the more significant decisions are Eastweek Publisher Limited & Anor v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83, Cathay Pacific Airways Ltd v Administrative Appeal Board & Anor [2008] 5 HKLRD 539, Octopus Rewards Investigation (2010) (R10-4422), HKSAR v Hong Kong Broadband Network Limited [2018] 2 HKLRD 1049, X v Privacy Commissioner for Personal Data (Appeal No. 15/2019), and Worldcoin Project Investigation (2024) (R24-1335).
Hide note
________________________________________
Eastweek Publisher Limited & Anor v Privacy Commissioner for Personal Data [2000] 2 HKLRD 83 – the Court of Appeal took the view that the gathering of information (including taking of photos) on an anonymous subject would not constitute the collection of personal data within the meaning of the PDPO if the photographer had no intent to identify the person.  The data user must be compiling information about an identified person, or about a person whom the data user intends, or seeks to identify.  
Cathay Pacific Airways Ltd v Administrative Appeal Board & Anor [2008] 5 HKLRD 539 – in judicial review proceedings, the High Court found for Cathay in quashing the decisions of the Privacy Commissioner and the AAB, in respect of Cathay's policy requiring cabin crew to consent to disclosure of private medical records.  Although a data subject must be provided with all necessary information in order to make an informed decision, this does not mean that a data subject must have "complete freedom" of choice whether to consent or not, as there may be circumstances in which the disclosure of data may be compulsory. In such cases, the data subject must be informed of the consequences of a refusal to supply the data, but this does not constitute a threat or the exertion of undue influence. 
Octopus Rewards Investigation (2010) (R10-4422) - Octopus Rewards Limited was found by the Privacy Commissioner to have violated the principles of the PDPO by collecting excessive and unnecessary personal data.  Further, it did not take appropriate measures to inform customers where their personal data will be transferred to, and the company also sold the data to its business partners without obtaining customers' clear and voluntary consent.
HKSAR v Hong Kong Broadband Network Limited [2018] 2 HKLRD 1049 - Hong Kong Broadband Network ("HKBN") was convicted of a criminal offence for failing to comply with the direct marketing provisions of the PDPO.   The company was fined for using the personal data of a data subject in direct marketing without obtaining the data subject’s consent, and failing to comply with the requirement from a data subject to cease to use his personal data in direct marketing.  
X v Privacy Commissioner for Personal Data (Appeal No. 15/2019) - The “right to be forgotten” (RTBF) has been central to the global debate over the balance between individual privacy and freedom of information and of the media in recent years.  This landmark decision confirmed that there is no independent RTBF under Hong Kong law, and the AAB also made an important ruling on the territorial boundary of the PDPO.  The AAB found that in order to attract the jurisdiction of the PDPO, the sole and proper test is to consider whether the data user controls all or any part of the data cycle (collection, holding, processing, and use) in, or from, Hong Kong. 
Worldcoin Project Investigation (2024) (R24-1335) – The Privacy Commissioner found that the Worldcoin Project violated the PDPO and ordered Worldcoin to cease operations that involved scanning and collecting iris and facial images of the public.  The Privacy Commissioner considered that:
•    the face and iris images collected by the Worldcoin project were unnecessary and excessive;
•    Worldcoin had failed to provide sufficient information to the public, preventing informed decisions and genuine consent;
•    Worldcoin’s retention of sensitive biometric data for up to 10 years for the purpose of AI model training, including face and iris images, was unjustified;
•    participants did not have the means to exercise their rights of data access and correction.

The PDPO protects “personal data”, which is defined as “any data: (i) relating directly or indirectly to a living individual; (ii) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (iii) in a form in which access to or processing of the data is practicable.”

The PDPO does not have a separate concept of “sensitive data”.  

The PDPO does not separately provide for or define “sensitive data”.  However, the various Codes of Practice issued by the Privacy Commissioner do provide examples of which data are regarded as more sensitive types personal data and how they should be treated, such as identity card numbers, date of birth and biometric data.  Additional rules may apply to the processing of these specific types of personal data.

The PDPO is applicable to both the private and the public sectors and is technology-neutral and principle-based.  The Data Protection Principles are contained in Schedule 1 to the PDPO and they outline how data users should collect, handle and use personal data, and impose further compliance requirements.

The PDPO sets out six Data Protection Principles (“DPPs”) and the objective of DPPs is to ensure that personal data is collected on a fully-informed basis and in a fair manner, with due consideration towards minimizing the amount of personal data collected.  Personal data should be processed in a secure manner, should only be kept for as long as necessary for the fulfillment of the purposes of using the data, and use of the data should be limited to or related to the original collection purpose.  Data subjects are also given the right to access and make correction to their data.
DPP1 – Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his personal data.
DPP2 – Personal data must be accurate and up-to-date, and kept no longer than necessary.
DPP3 – Personal data should only be used for the purposes for which they were collected or a directly related purpose. Otherwise, the data user must obtain the “prescribed consent” of the data subject.
DPP4 – The data user must have measures in place for the confidentiality and security of personal data.
DPP5 – Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.
DPP6 – Data subjects must be given a right of access to their personal data, and to correct them.
Under Section 4 of the PDPO, a data user shall not do any act or engage in a practice that contravenes a DPP, unless the act or practice is required or permitted under the PDPO.

The PDPO applies to any data user (including the government)    

Note: The PDPO applies to any “data user” (including the government), which is defined in the PDPO as “in relation to personal data, a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data”.

The PDPO sets out certain exemptions including (without limitation):

• performance of judicial functions;
• security in respect of Hong Kong;
• crime;
• health;
• news;
• statistics and research; and
• emergency situations

Such exemptions do not necessarily give blanket exemptions to the whole of the PDPO, but instead may provide exemptions for only parts of the PDPO.

According to the PDPO, “processing in relation to personal data, includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise”.   

Generally, personal data collected from a data subject must be for a lawful purpose connected with a function or activity of the data user, necessary for that purpose, adequate but not excessive, and the data user must take all practicable steps to make the data subject aware of certain matters before collection.

DPP 1 of the PDPO sets out certain requirements in relation to the purpose and manner of collection of personal data.
Generally, personal data should not be collected unless:
•    the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;
•    the collection of the data is necessary for or directly related to that purpose; or
•    the data is adequate but not excessive in relation to that purpose.
If personal data is to be collected directly from a data subject, all practicable steps should be taken to ensure:
•    he is explicitly or implicitly informed on or before collection whether it is obligatory or voluntary for personal data to be collected and, if obligatory, the consequences of not providing such personal data;
•    he is explicitly informed on or before collecting the data of (i) the purposes (in general or specific terms) for which such personal data are to be used; and (ii) the classes of persons to whom such personal data might be transferred; and
•    he is explicitly informed on or before first use of the data for the purpose for which it was collected of: (i) his right of access to, and to request the correction of such personal data; and (ii) the name or job title and address of the individual who is to handle any such request. 

Generally, subject to a data subject’s prescribed consent, a data user may use or disclose personal data only for the purpose for which it was collected or a purpose directly related to such purpose.

Under DPP 3, a data user must not, without the "prescribed consent” (express consent of the person given voluntarily and not withdrawn) of the data subject, use (which includes disclose or transfer) any personal data collected in accordance with DPP 1 for any purpose other than the purpose for which the personal data was to be used at the time of the collection of the personal data (or a purpose directly related to such purpose).
The use and disclosure of personal data for direct marketing purposes is strictly regulated in Hong Kong, where “direct marketing” is the offering, or advertising of the availability of goods, facilities or services through direct marketing means (i.e. sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons):
•    data users who intend to use a data subject’s personal data in direct marketing must, before using personal data in direct marketing: (a) inform the data subject: (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use; (b) provide the data subject with the following information in relation to the intended use: (i) the kinds of personal data to be used; (ii) the classes of marketing subjects in relation to which the data is to be used; and (c) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended use;
•    data users must obtain the data subject’s “consent” (which, in relation to a use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision;) to use personal data in direct marketing;
•    data users must notify the data subject when using personal data in direct marketing for the first time that the data user must, without charge to the data subject, cease to use the data in direct marketing if the data subject so requires;
•    data users must cease to use the personal data for direct marketing upon a data subject’s request;
•    data users who intend to provide a data subject’s personal data to another party for use by that other person in direct marketing must, before providing personal data to the other party: (a) inform the data subject in writing (i) that the data user intends to so provide the personal data; and (ii) that the data user may not so provide the data unless the data user has received the data subject’s consent to the intended provision; (b) provide the data subject with the following written information in relation to the intended provision (i) if the personal data is to be provided for gain, that the personal data is to be so provided; (ii) the kinds of personal data to be provided; (iii) the classes of persons to which the personal data is to be provided; and (iv) the classes of marketing subjects in relation to which the personal data is to be used; and (c) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended provision in writing.
•    data users must obtain the data subject’s consent to provide personal data to another party for use in direct marketing; and
•    data users must cease to provide personal data to another party for use in direct marketing upon a data subject’s request.

Personal information must be protected from unauthorized loss, use, modification or disclosure with reasonable security safeguards.  Agencies must not keep personal information for longer than is required. 

In terms of the storage and security of personal data, under DPP 4, a data user must take all practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to:
•    the kind of data and the harm that could result if any of those things should occur;
•    the physical location where the data is stored;
•    any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; and
•    any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission of the data.
In terms of the retention of personal data, under DPP 2, a data user must take all practicable steps shall be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the personal data is or is to be used.

Generally, a data user must take all practicable steps to ensure that personal data is accurate.  Subject to specific grounds for refusing access or correction, a data subject is entitled to have access to any personal data about them held by a data user, and for correction of such personal data. 

Under DPP 2, a data user must take all practicable steps to ensure that:
•    personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used;
•    where there are reasonable grounds for believing that personal data is inaccurate: (i) the personal data is not used for that purpose unless and until those grounds cease to be applicable to the personal data, whether by the rectification of the data or otherwise; or (ii) the personal data is erased;
•    where it is practicable in all the circumstances of the case to know that: (i) personal data disclosed on or after the appointed day to a third party is materially inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used by the third party; and (ii) that personal data was inaccurate at the time of such disclosure, that the third party: (A) is informed that the data is inaccurate; and (B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.
Under DPP 6, a data subject shall be entitled to: 
•    ascertain whether a data user holds personal data of which he is the data subject;
•    request access to personal data: (i) within a reasonable time; (ii) at a fee, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is intelligible;
•    be given reasons if a request for access to personal data is refused;
•    object to a refusal for access to personal data;
•    request the correction of personal data;
•    be given reasons if a request for the correction of personal data is refused; and
•    object to a refusal for the correction of personal data.
Under the PDPO, in certain circumstances, a data user must refuse to comply with a personal data access request or a personal data correction request (e.g. if the data user is not supplied with such information as the data user may reasonably require in order to satisfy the data user as to the identity of the requestor), while in other circumstances a data user may refuse the same (e.g. if the data user is not satisfied that the personal data to which the request relates is inaccurate).

Not applicable.

The PDPO is a notification/consent-based regime.  A data user must not, without the "prescribed consent” of the data subject, use any personal data collected for any purpose other than the purpose for which the personal data was to be used at the time of the collection (or a purpose directly related to such purpose).

Additional notice and consent requirements apply in relation to direct marketing. 

Please see above for discussion of DPP1 and DPP3.  
As also mentioned above, the PDPO provides a number of exemptions from some compliance requirements under particular circumstances including crime prevention, security and defence, news activity, protecting a data subject’s health, or if the use of personal data is required or authorized by law or court order, or is required for exercising or defending legal rights in Hong Kong.

Section 33 of the PDPO restricts/controls the transfer of personal data outside of Hong Kong unless certain conditions are fulfilled.  The intention is to ensure that personal data may only be transferred to jurisdictions that will give a similar level of data protection as Hong Kong.  However, this section it is not yet in force.

Section 33 of the PDPO which restricts the transfer of personal data outside of Hong Kong is still not in force even though the provision has been in the law since the PDPO took effect in 1996.   Section 33 of provides that a data user shall not transfer personal data to a place outside of Hong Kong unless at least one of the following conditions are met:
•    the place has been approved by the Privacy Commissioner in writing;
•    the data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the PDPO;
•    the data subject has consented in writing to the transfer;
•    the data user has reasonable grounds for believing that, in all the circumstances of the case, the transfer is for the avoidance or mitigation of adverse action against the data subject; and it is not practicable to obtain the data subject’s consent but, if practicable, such consent would be given;
•    the data is exempt from Principle 3 under Part VIII of the PDPO (i.e. the personal data is held for certain purposes such as domestic purposes, employment or staff planning, the prevention or detection of crime, the security or defense of Hong Kong, legal professional privilege, news activities etc.);
There is still no timetable for the implementation of section 33.  However, the 2014 Guidance on Personal Data Protection in Cross-border Data Transfer encourages data users to comply with Section 33 of the PDPO and included a set of model data transfer clauses.  This was supplemented by the 2022 Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data, which sets out best practice, and includes two sets of recommended model contractual clauses (RMCs) to cater for 2 different scenarios in cross-border data transfers: data user to data user transfers and data user to data processor transfers.  
Due to the close integration of cities within the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) and the increasingly frequent data flows between Hong Kong and cities in the GBA, there is also specific Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area. 
Whilst the Guidance Notes are not legally binding, they should be considered as best practice, and compliance will be taken into account when investigating any suspected or alleged breach of the PDPO. 
It is important to note that many of the general protections of the PDPO also apply in the context of cross-border data transfers and the RMCs are consistent with existing data privacy requirements under the PDPO, including the six DPPs.
It should be emphasized that the sharing or transferring of personal data from a business to its parent, subsidiary, affiliated, related or other company within the same group of companies, whether located in or outside of Hong Kong, will still be regarded as “transferring out” of data and, as such, will still need to comply with the general requirements of the PDPO.

There is no statutory definition of a data breach in the PDPO but, according to the Guidance on Data Breach Handling and Data Breach Notifications, a data breach is generally taken to be a suspected breach of data security of personal data held by a data user, by exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss or use.  
There is no separate definition of data “incidents”.  

The Privacy Commissioner gives examples of data breaches, such as access by an unauthorized third party to personal data as a result of hacking, and leakage of data caused by file-sharing software installed on a computer or system misconfiguration. 

There are no mandatory reporting requirements for breaches of the PDPO.

There are currently no requirements under the PDPO for a data user in breach of the PDPO to notify the Privacy Commissioner or any third parties.  However, the Privacy Commissioner has issued a Guidance Note on Data Breach Handling and the Giving of Breach Notifications which contains practical guidance and recommendations for complying with the PDPO to help data users prepare for and handle data breaches, prevent recurrence of data breaches and mitigate the loss and damage caused to the data subjects involved.  The Guidance includes a recommendation from the Privacy Commissioner that data users adopt a system of notification in handling a data breach.

The PDPO establishes the office of the Privacy Commissioner.  The functions and powers of the Privacy Commissioner range from monitoring and supervising compliance with the provisions of the PDPO, to investigating complaints of contravention of the PDPO and serving enforcement notices.

The Privacy Commissioner has a range of functions and powers under the PDPO including in relation to the monitoring and supervising compliance with the provisions of the PDPO; promoting awareness and understanding of, and compliance with, the PDPO (including undertaking promotional or educational activities); carrying out inspections of data users’ personal data systems; and investigating complaints of contravention of the PDPO and serving enforcement notices.
The PDPO also gives the Privacy Commissioner the power to issue guidelines for data users and data subjects on the PDPO indicating the manner in which the Privacy Commissioner proposes to perform the functions, or exercise any of the powers, of the Privacy Commissioner.  The Privacy Commissioner also has the power to promote and assist bodies representing data users to prepare codes of practice.  

The PDPO currently does not provide for any mandatory breach reporting or administrative fine but the Privacy Commissioner may issue an enforcement notice to the data user directing remedial and/or preventive steps to be taken.  Failure to comply with an enforcement notice is an offence which may result in a maximum fine of $50,000 and imprisonment for 2 years, with a daily penalty of $1,000 for on-going non-compliance. Subsequent convictions can result in a maximum fine of $100,000 and imprisonment for 2 years, with a daily penalty of $2,000.

In addition to the PDPO, unsolicited electronic messages are regulated under the Unsolicited Electronic Messages Ordinance (Chapter 593 of the Laws of Hong Kong). (UEMO)

The UEMO prohibits the sending of “commercial electronic messages” (CEM) except in certain circumstances.  Under the UEMO, a CEM is defined as an electronic message, the purpose or one of the purposes of which is (in the course of or in the furtherance of any business):
•    to offer to supply goods, services, facilities, land, or an interest in land;
•    to offer to provide a business opportunity or an investment opportunity;
•    to advertise or promote goods, services, facilities, land or an interest in land;
•    to advertise or promote a business opportunity or an investment opportunity;
•    to advertise or promote a supplier, or a prospective supplier, of goods, services, facilities, land or an interest in land; or
•    to advertise or promote a provider, or a prospective provider, of a business opportunity or an investment opportunity.
Under the UEMO, CEMs must not:
•    be sent unless the CEM includes accurate sender information;
•    be sent unless the CEM contains an unsubscribe facility;
•    be sent after an unsubscribe request is sent;
•    be sent to an electronic address listed in the do-not-call register;
•    use misleading subject headings; or
•    be sent with calling line identification information concealed 

In addition to the PDPO, unsolicited electronic messages are regulated under the Unsolicited Electronic Messages Ordinance (Chapter 593 of the Laws of Hong Kong). (UEMO)
Hide note
________________________________________
The UEMO prohibits the sending of “commercial electronic messages” (CEM) except in certain circumstances.  Under the UEMO, a CEM is defined as an electronic message, the purpose or one of the purposes of which is (in the course of or in the furtherance of any business):
•    to offer to supply goods, services, facilities, land, or an interest in land;
•    to offer to provide a business opportunity or an investment opportunity;
•    to advertise or promote goods, services, facilities, land or an interest in land;
•    to advertise or promote a business opportunity or an investment opportunity;
•    to advertise or promote a supplier, or a prospective supplier, of goods, services, facilities, land or an interest in land; or
•    to advertise or promote a provider, or a prospective provider, of a business opportunity or an investment opportunity.
Under the UEMO, CEMs must not:
•    be sent unless the CEM includes accurate sender information;
•    be sent unless the CEM contains an unsubscribe facility;
•    be sent after an unsubscribe request is sent;
•    be sent to an electronic address listed in the do-not-call register;
•    use misleading subject headings; or
•    be sent with calling line identification information concealed 

There is no legal requirement under the PDPO to appoint a Data Protection Officer (DPO).  However, the Privacy Management Programme: A Best Practice Guide (last revised in 2019) (PMP Guide), encourages companies to appoint a designated DPO to oversee compliance with the PDPO and to implement a privacy management programme.  There are no regulatory qualifications or criteria for a data protection officer but the PMP Guide suggests that for a major corporation, the DPO should be a senior executive, whereas for a very small organization, the DPO could be the owner/operator.

There are no specific record-keeping and documentation obligations under the PDPO.  

Although there are no specific record-keeping and documentation obligations under the PDPO, the PMP Guide provides that an organisation should be clear about what kinds of personal data its holds, where it is held and document its assessment, as well as why it is collecting, using or disclosing personal data and document these reasons.  To maintain an up-to-date personal data inventory, a personal data inventory review exercise should be conducted annually.
The sample personal data inventory set out in the PMP Guide includes the:
•    kind of personal data collected
•    means of collection of the data
•    purpose of collection and use of the data
•    retention period of the data
•    storage location
•    disclosure of data to any third parties including data processors and the names and relevant details of third parties
•    purpose of disclosing the data and whether the disclosure complies with the PDPO
•    data security measures

DPIAs are not mandatory under the PDPO.  However, the Privacy Commissioner published a leaflet on Privacy Impact Assessments (revised 2015) advising data users to conduct a DPIA before the launch of any new business initiative or project that might have significant impact on personal data privacy.  The concept of DPIAs is also included as best practice in the PMP Guide and the Privacy Management Programme Manual (PMP Manual).

According to the PMP Manual, a DPIA should be undertaken
•    before the implementation of a new project or a change of policies and practices that involves
    the processing or collecting of a considerable amount of personal data by the company or organization; or
    collecting, processing, using or deleting personal data in ways that are materially different from company or organization’s existing practice; or 
•    when there is a material change to the regulatory requirements relating to personal data and corresponding changes in the handling of personal data are required.

Third party data processors are not directly regulated under the PDPO.   A data user is liable for its agent or contractor’s breach of the PDPO.  Therefore, data users are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO.

Under DPP2 and 4, a data user who engages a data processor (whether within or outside Hong Kong), must use contractual or other means to ensure that personal data is protected from unauthorized or accidental access, processing, erasure, loss or use, and is not retained for longer than necessary for the purpose of processing the data.  The Privacy Commissioner has also published a leaflet on Outsourcing the Processing of Personal Data to Data Processors (2012) which provides guidance to data users on the use of data processors and recommendations for their engagement.

A failure to comply with the PDPO may result in an Enforcement Notice which if not complied with may result in a fine and/or imprisonment.  Other breaches of the PDPO may also directly result in an offence which, on conviction, may result in fines and/or imprisonment, with particularly rigorous fines and imprisonment for breaches of the PDPO in relation to the direct marketing regime.

When the Commissioner receives a complaint, or has reasonable grounds to believe there may be a contravention of PDPO, the Commissioner may conduct an investigation of the suspected contravention and publish a report setting out the investigation results and recommendations if it is in the public interest to do so. 
Upon completion of an investigation, if contravention of PDPO is found, the Privacy Commissioner may issue an enforcement notice to the data user directing remedial and/or preventive steps to be taken. Contravention of an enforcement notice issued by the Commissioner is also an offence which may result in a maximum fine of $50,000 and imprisonment for 2 years, with a daily penalty of $1,000.  Subsequent convictions can result in a maximum fine of $100,000 and imprisonment for 2 years, with a daily penalty of $2,000.
Contravention of a DPP is not an offence.  However, contravention of certain provisions of PDPO is an offence.  The Privacy Commissioner may carry out criminal investigation and institute prosecution for certain offences under the PDPO.  Depending on the severity of the case, the Privacy Commissioner may refer cases to the Police or the Department of Justice.
A table summarising the various offences under PDPO and the respective penalties can be found here.
Data subjects may also seek compensation by civil action from data users for damage caused by a contravention of the PDPO.  The Commissioner may provide legal assistance to the aggrieved data subjects if the Commissioner thinks fit to do so.

There are no statutory compliance or audit requirements but any person or organization collecting, holding, processing or using personal data must ensure continuous compliance with the DPPs.  The PMP Guide and PMP Manual advocate effective on-going review and monitoring process to facilitate compliance with the requirements of the PDPO.  

The Privacy Commissioner issued the Artificial Intelligence: Model Personal Data Protection Framework” (AI Framework) in June 2024 which provides recommendations for the procurement, implementation and use of AI systems to ensure the protection of personal data privacy and the safe, ethical and responsible use of innovative technology.  The AI Framework supplements the Guidance on the Ethical Development and Use of Artificial Intelligence (Ethical AI Guidelines) published in 2021.  
The Checklist on Guidelines for the Use of Generative AI by Employees was also published in March 2025.
In addition, on 19 March 2025, the Protection of Critical Infrastructure (Computer System) Ordinance was passed and is expected to come into force on 1 January 2026.  The purpose of the legislation is to strengthen the security of the computer systems of critical infrastructure and minimize the chance of essential services being disrupted or compromised due to cyberattacks, including data breaches.

The AI Framework provides a set of recommendations and best practices regarding governance of AI for the protection of personal data privacy for organisations which procure, implement and use any type of AI systems.  It aims to assist organisations in complying with the requirements under the PDPO and adhering to the three Data Stewardship Values and seven Ethical Principles for AI advocated in the Ethical AI Guidelines.
The Protection of Critical Infrastructure (Computer System) Ordinance seeks to enhance the protection of the computer systems of organizations responsible for critical services.  The law focuses on large-scale organizations in 8 “essential services” sectors: energy, information technology, banking, telecommunication and broadcasting, maritime, healthcare, land and air transport, as well as other infrastructure crucial for “maintaining important societal and economic activities”: major sports and performance venues, and research and development parks.  The purpose of the legislation is to strengthen the security of the computer systems of critical infrastructures and minimize the chance of essential services being disrupted or compromised due to cyberattacks, including data breaches.
There are three categories of statutory obligations: organizational, preventive, and incident reporting and response.  Under the regime, operators of critical infrastructures must report computer system security incidents within (a) two hours after becoming aware of a serious computer system security incident (including incidents that lead to a large-scale leakage of personal data and other data) and (b) 24 hours after becoming aware of the other computer system security incidents.  At this stage, it is not clear whether affected operators will have to report to the Privacy Commissioner as well as the new Commissioner’s Office (under the Security Bureau) and whether the investigations to be conducted by both Offices.