Top
Top

Global Data Privacy Guide

Hong Kong

(Asia Pacific) Firm Deacons

Contributors Charmaine Koo

Updated 01 Mar 2022
What is the key legislation?

The key legislation in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong).

Note: The key legislation governing privacy in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (“PDPO”).  The PDPO sets out, among other things, six Data Protection Principles (“DPPs”) that govern the: (i) purpose and manner of collection of personal data; (ii) accuracy and duration of retention of personal data; (iii) use of personal data; (iv) security of personal data; (v) information to be generally available; and (vi) access to personal data and disclosure of personal information. Under Section 4 of the PDPO, a data user shall not do any act or engage in a practice, that contravenes a DPP unless the act or practice, as the case may be, is required or permitted under the PDPO.

The PDPO allows the Privacy Commissioner to issue guidance on how the Privacy Commissioner intends to interpret the provisions of the PDPO.  These are generally known as “Guidance Notes”.  However, these Guidance Notes are not legally binding. Currently, the following Guidance Notes have been issued by the Privacy Commissioner in Hong Kong:

  • Best Practice Guide for Mobile App Development;
  • Collection and Use of Biometric Data;
  • Collection and Use of Personal Data through the Internet;
  • Collection and Use of Personal Data through the Internet - Points to Note for Data Users Targeting Children; 
  • Collection and Use of Personal Data of Teachers, Staff and Students During COVID-19 Pandemic for Schools;
  • Consumer Credit Data;
  • CCTV Surveillance and Use of Drones;
  • Data Breach Handling and the Giving of Breach Notifications;
  • Data Ethics for Small and Medium Enterprises;
  • Data Protection & Business Facilitation - Guiding Principles for Small and Medium Enterprises;
  • Data Protection by Design for ICT Systems;
  • Data Users on the Collection and Use of Personal Data;
  • Data Users on the Collection and Use of Personal Data through the Internet;
  • Direct Marketing;
  • Election Activities for Candidates, Government Departments, Public Opinion Research, Organisations and Members of the Public;
  • Electioneering Activities;
  • From Principles to Practice – SME Personal Data Protection Toolkit;
  • General Reference Guide-Privacy Management Programme (PMP) Manual (for Private Sector);
  • Guidance Note and Pamphlet: Guidance on the Ethical Development and Use of Artificial intelligence;

  • Guidance on Protecting Personal Data Privacy in the Use of Social Media and Instant Messaging Apps;

  • Guide for Independent Non-Executive Directors (published by the Hong Kong Institute of Directors)

  • Mobile Service Operators;
  • Personal Data Erasure and Anonymisation;
  • Personal Data (Privacy) (Amendment) Ordinance 2021 Implementation Guideline (Doxxing);
  • Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals);
  • Personal Data Protection in Cross-border Data Transfer;
  • Preparing Personal Information Collection Statement and Privacy Policy Statement;
  • Privacy Management Programme: A Best Practice Guide
  • Proper Handling of Customers’ Personal Data for the Banking Industry;
  • Proper Handling of Customers' Personal Data for the Beauty Industry;
  • Proper Handling of Customers’ Personal Data for the Insurance Industry;
  • Proper Handling of Data Correction Request by Data Users;
  • Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users;
  • Property Management Practices; 
  • Protecting Personal Data under Work-from-home Arrangements: Guidance for Employees;
  • Protecting Personal Data under Work-from-home Arrangements: Guidance for Organisations;
  • Protecting Personal Data under Work-from-home Arrangements: Guidance on the Use of Video Conferencing Software;
  • Protect Your Digital Identity (published by the Hong Kong Computer Emergency Response Team Coordination Centre);
  • Understanding the Code of Practice on Consumer Credit Data - Frequently Asked Questions on the Sharing of Mortgage Data for Credit Assessment Purpose;
  • Use of Personal Data Obtained from the Public Domain; and 
  • Use of Portable Storage Devices.
What data is protected?

The PDPO protects personal data, personal data being data about an identifiable individual.

Note: The PDPO protects “personal data”, which is defined in the PDPO as “any data: (i) relating directly or indirectly to a living individual; (ii) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (iii) in a form in which access to or processing of the data is practicable”

Who is subject to privacy obligations?

The PDPO applies to any data user (including the government)    

Note: The PDPO applies to any “data user” (including the government), which is defined in the PDPO as “in relation to personal data, a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data”.

The PDPO sets out certain exemptions including (without limitation):

  • performance of judicial functions;
  • security in respect of Hong Kong;
  • crime;
  • health;
  • news;
  • statistics and research; and
  • emergency situations

Such exemptions do not necessarily give blanket exemptions to the whole of the PDPO, but instead may provide exemptions for only parts of the PDPO.

What are the principles applicable to personal data processing?

Generally, personal data collected from a data subject must be for a lawful purpose connected with a function or activity of the data user, necessary for that purposes, and adequate but not excessive, and the data user must take all practicable steps to make the data subject aware of certain matters before collection.

Note: DPP 1 of the PDPO sets out certain requirements in relation to the purpose and manner of collection of personal data.

Generally, personal data should not be collected unless:

  • the data is collected for a lawful purpose directly related to a function or activity of the data user who is to use the data;
  • the collection of the data is necessary for or directly related to that purpose; or
  • the data is adequate but not excessive in relation to that purpose.

If personal data is to be collected directly from a data subject, all practicable steps should be taken to ensure:

  • he is explicitly or implicitly informed on or before collection whether it is obligatory or voluntary for personal data to be collected and, if obligatory, the consequences of not providing such personal data;
  • he is explicitly informed on or before collecting the data of (i) the purposes (in general or specific terms) for which such personal data are to be used; and (ii) the classes of persons to whom such personal data might be transferred; and
  • he is explicitly informed on or before first use of the data for the purpose for which it was collected of: (i) his right of access to, and to request the correction of such personal data; and (ii) the name or job title and address of the individual who is to handle any such request.
     
How is the processing of personal data regulated?

Generally, subject to a data subject’s prescribed consent, a data user may use or disclose personal data only for the purpose for which it was collected or a purpose directly related to such purpose.

Note: Under DPP 3, a data user must not, without the "prescribed consent” (express consent of the person given voluntarily and not withdrawn) of the data subject, use (which includes disclose or transfer) any personal data collected in accordance with DPP 1 for any purpose other than the purpose for which the personal data was to be used at the time of the collection of the personal data (or a purpose directly related to such purpose).

The use and disclosure of personal data for direct marketing purposes is strictly regulated in Hong Kong, where “direct marketing” is the offering, or advertising of the availability of goods, facilities or services through direct marketing means (i.e. sending information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons):

  • data users who intend to use a data subject’s personal data in direct marketing must, before using personal data in direct marketing: (a) inform the data subject: (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use; (b) provide the data subject with the following information in relation to the intended use: (i) the kinds of personal data to be used; (ii) the classes of marketing subjects in relation to which the data is to be used; and (c) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended use;
  • data users must obtain the data subject’s “consent” (which, in relation to a use of personal data in direct marketing or a provision of personal data for use in direct marketing, includes an indication of no objection to the use or provision;) to use personal data in direct marketing;
  • data users must notify the data subject when using personal data in direct marketing for the first time that the data user must, without charge to the data subject, cease to use the data in direct marketing if the data subject so requires;
  • data users must cease to use the personal data for direct marketing upon a data subject’s request;
  • data users who intend to provide a data subject’s personal data to another party for use by that other person in direct marketing must, before providing personal data to the other party: (a) inform the data subject in writing (i) that the data user intends to so provide the personal data; and (ii) that the data user may not so provide the data unless the data user has received the data subject’s consent to the intended provision; (b) provide the data subject with the following written information in relation to the intended provision (i) if the personal data is to be provided for gain, that the personal data is to be so provided; (ii) the kinds of personal data to be provided; (iii) the classes of persons to which the personal data is to be provided; and (iv) the classes of marketing subjects in relation to which the personal data is to be used; and (c) provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subjects consent to the intended provision in writing.
  • data users must obtain the data subject’s consent to provide personal data to another party for use in direct marketing; and
  • data users must cease to provide personal data to another party for use in direct marketing upon a data subject’s request.
     
How are storage, security and retention of personal data regulated?

Personal information must be protected from unauthorized loss, use, modification or disclosure with reasonable security safeguards. Agencies must not keep personal information for longer than is required. 

Note: In terms of the storage and security of personal data, under DPP 4, a data user must take all practicable steps shall be taken to ensure that personal data (including data in a form in which access to or processing of the data is not practicable) held by a data user are protected against unauthorized or accidental access, processing, erasure, loss or use having particular regard to:

  • the kind of data and the harm that could result if any of those things should occur;
  • the physical location where the data is stored;
  • any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored; and
  • any measures taken for ensuring the integrity, prudence and competence of persons having access to the data; and any measures taken for ensuring the secure transmission of the data.

In terms of the retention of personal data, under DPP 2, a data user must take all practicable steps shall be taken to ensure that personal data is not kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the personal data is or is to be used.
 

What are the data subjects' rights?

Generally, a data user must take all practicable steps to ensure that personal data is accurate.  Subject to specific grounds for refusing access or correction, a data subject is entitled to have access to any personal data about them held by a data user, and for correction of such personal data. 

Note: Under DPP 2, a data user must take all practicable steps to ensure that:

  • personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used;
  • where there are reasonable grounds for believing that personal data is inaccurate: (i) the personal data is not used for that purpose unless and until those grounds cease to be applicable to the personal data, whether by the rectification of the data or otherwise; or (ii) the personal data is erased;
  • where it is practicable in all the circumstances of the case to know that: (i) personal data disclosed on or after the appointed day to a third party is materially inaccurate having regard to the purpose (including any directly related purpose) for which the data is or is to be used by the third party; and (ii) that personal data was inaccurate at the time of such disclosure, that the third party: (A) is informed that the data is inaccurate; and (B) is provided with such particulars as will enable the third party to rectify the data having regard to that purpose.

Under DPP 6, a data subject shall be entitled to: 

  • ascertain whether a data user holds personal data of which he is the data subject;
  • request access to personal data: (i) within a reasonable time; (ii) at a fee, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is intelligible;
  • be given reasons if a request for access to personal data is refused;
  • object to a refusal for access to personal data;
  • request the correction of personal data;
  • be given reasons if a request for the correction of personal data is refused; and
  • object to a refusal for the correction of personal data.

Under the PDPO, in certain circumstances, a data user must refuse to comply with a personal data access request or a personal data correction request (e.g. if the data user is not supplied with such information as the data user may reasonably require in order to satisfy the data user as to the identity of the requestor), while in other circumstances a data user may refuse the same (e.g. if the data user is not satisfied that the personal data to which the request relates is inaccurate).
 

Are there restrictions on cross-border data transfers?

Section 33 of the PDPO restricts/controls the transfer of personal data outside of Hong Kong (except in certain circumstances) but it is not yet in force.

Note: Section 33 of the PDPO restricts/controls the transfer of personal data outside of Hong Kong, but it is not yet in force. Section 33 of the PDPO provides that a data user shall not transfer personal data to a place outside of Hong Kong unless at least one of the following conditions are met:

  • the place has been approved by the Privacy Commissioner in writing;
  • the data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the PDPO;
  • the data subject has consented in writing to the transfer;
  • the data user has reasonable grounds for believing that, in all the circumstances of the case, the transfer is for the avoidance or mitigation of adverse action against the data subject; and it is not practicable to obtain the data subject’s consent but, if practicable, such consent would be given;
  • the data is exempt from Principle 3 under Part VIII of the PDPO (i.e. the personal data is held for certain purposes such as domestic purposes, employment or staff planning, the prevention or detection of crime, the security or defense of Hong Kong, legal professional privilege, news activities etc);

The Privacy Commissioner has also issued a Guidance Note on cross border transfer of personal data (Personal Data Protection in Cross-border Data Transfer), which recommends steps a data user should take to comply with Section 33 of the PDPO, notwithstanding that Section 33 of the PDPO is not yet in force.
 

Are there any notification requirements for data breaches?

There are no mandatory reporting requirements for breaches of the PDPO.

PDPO for a data user in breach of the PDPO to notify the Privacy Commissioner or any third parties.  However, the Privacy Commissioner has issued a Guidance Note (Guidance Note on Data Breach Handling and the Giving of Breach Notifications) which includes, among other things, a recommendation from the Privacy Commissioner that data users adopt a system of notification in handling a data breach.
Who is the privacy regulator?

The PDPO establishes the office of the Privacy Commissioner.  The functions and powers of the Privacy Commissioner range from monitoring and supervising compliance with the provisions of the PDPO, to investigating complaints of contravention of the PDPO and serving enforcement notices.

Note: The Privacy Commissioner has a range of functions and powers under the PDPO including, but not limited to, in relation to the monitoring and supervising compliance with the provisions of the PDPO; promote awareness and understanding of, and compliance with, the PDPO (including undertaking promotional or educational activities); carrying out inspections of data users’ personal data systems; and investigating complaints of contravention of the PDPO and serving enforcement notices.

The PDPO also gives the Privacy Commissioner the power to issue guidelines for data users and data subjects on the PDPO indicating the manner in which the Privacy Commissioner proposes to perform the functions, or exercise any of the powers, of the Privacy Commissioner (see above Question 1 for a list of Guidance Notes issued by the Privacy Commissioner).  The Privacy Commissioner also has the power to promote and assist bodies representing data users to prepare codes of practice.  As with the Guidance Notes, these codes of practice are not legally binding.  The current codes of practice in effect are:

  • Code of Practice on Consumer Credit Data (January 2013)
  • Code of Practice on Human Resource Management (April 2016)
  • Code of Practice on the Identity Card Number and Other Personal Identifiers (April 2016)
  • Privacy Guidelines: Monitoring and Personal Data Privacy at Work (April 2016)
What are the consequences of a privacy breach?

A failure to comply with the PDPO may result in an Enforcement Notice which if not complied with may result in a fine and/or imprisonment.  Other breaches of the PDPO may also result in an offense which, on conviction, may result in fines and/or imprisonment, with particularly rigorous fines and imprisonment for breaches of the PDPO in relation to the direct marketing regime.

PDPO, a complaint may be made to the Privacy Commissioner. The Privacy Commissioner then has the power to investigate the complaint.  Investigations may also be initiated on the Privacy Commissioner’s own initiative.  If the Privacy Commissioner is of the opinion that the relevant data user is contravening or has contravened the PDPO, the Privacy Commissioner may serve on the data user a notice in writing directing the data user to remedy and, if appropriate, prevent any recurrence of the contravention (known as an “Enforcement Notice”).

There is a miscellaneous offense where a data user who, without reasonable excuse, contravenes any requirement under the PDPO commits an offense and is liable on conviction to a fine of up to HK $10,000 (though this does not apply to breaches of a DPP or certain specific sections of the PDPO).  Such specific offenses with corresponding fines and/or imprisonment depending on the relevant offense, include (without limitation):

  • a data user who knowingly or recklessly in a data user return or change notice supplies any information which is false or misleading in a material particular commits an offense and is liable on conviction to a fine of up to HK $10,000 and to imprisonment for up to 6 months;
  • a person who, in a data access request, supplies any information which is false or misleading in a material particular for the purposes of having the data user: (a) inform the person whether the data user holds any personal data which is the subject of the request; and (b) if applicable, supply a copy of the data, commits an offence and is liable on conviction to a fine of up to HK $10,000 and to imprisonment for up to 6 months;
  • a person who, in a data correction request, supplies any information which is false or misleading in a material particular for the purpose of having the personal data corrected as indicated in the request, commits an offence and is liable on conviction to a fine up to HK $10,000 and to imprisonment for up to 6 months;
  • any data user that contravenes an Enforcement Notice commits an offense and is liable: (a) on a first conviction, to a fine of up to HK $50,000 and to imprisonment for up to 2 years and if the offense continues after the conviction to a daily penalty of up to HK $1000; (b) on a second or subsequent conviction, to a fine of up to HK $100,000 and to imprisonment for up to 2 years, and if the offense continues after the conviction, to a daily penalty of up to HK $2000.
  • a data user who, having complied with an Enforcement Notice, intentionally does the same act or makes the same omission in contravention of the requirement under the PDPO, as specified in the Enforcement Notice, commits an offence and is liable on conviction to a fine of up to HK $50,000 and to imprisonment for up to 2 years, and if the offense continues after the conviction, to a daily penalty of up to HK $1000;
  • if a person: (a) without lawful excuse, obstructs, hinders or resists the Privacy Commissioner or a prescribed officer in performing the functions or exercising the powers of the Privacy Commissioner or the officer; (b) without lawful excuse, fails to comply with any lawful requirement of the Privacy Commissioner or a prescribed officer; or (c) in the course of the performance or exercise by the Privacy Commissioner or a prescribed officer of functions or powers: (i) makes to the Privacy Commissioner or the officer a statement which the person knows to be false or does not believe to be true; or (ii) otherwise knowingly misleads the Privacy Commissioner or the officer, the person commits an offence and is liable on conviction to a fine up to HK $10,000 and to imprisonment for up to 6 months;
  • if a person (1) discloses any personal data of a data subject which was obtained from a data user without the data user’s consent, with an intent: (a) to obtain gain in money or other property, whether for the benefit of the person or another person; or (b) to cause loss in money or other property to the data subject; or (2) (a) discloses any personal data of a data subject which was obtained from a data user without the data user’s consent; and (b) the disclosure causes psychological harm to the data subject, the person commits an offence and is liable on conviction to a fine of up to HK $1,000,000 and to imprisonment for up to 5 years.

A data user who fails to comply with Section 33 (not yet in force) without reasonable excuse will commit an offense under Section 64A of the PDPO which carries a fine of up to HK $10,000.

The PDPO also imposes strict provisions in relation to the use of personal data in direct marketing, and a data user shall commit an offense if the data user fails:

  • to take certain actions before using personal data in direct marketing (liable on conviction to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to obtain the data subject’s consent to use personal data in direct marketing (liable on conviction to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to notify the data subject when using personal data in direct marketing for the first time (liable on conviction to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to cease to use the personal data for direct marketing upon a data subject’s request(liable on conviction to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to take certain actions before providing a data subject’s personal data to another party for use by that other person in direct marketing (liable on conviction to a fine of up to HK $1,000,000 and to imprisonment for up to 5 years if for gain, and otherwise to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to obtain the data subject’s consent to provide personal data to another party for use in direct marketing (liable on conviction to a fine of up to HK $1,000,000 and to imprisonment for up to 5 years if for gain, and otherwise to a fine of up to HK $500,000 and to imprisonment for up to 3 years);
  • to cease to provide personal data to another party for use in direct marketing upon a data subject’s request (liable on conviction to a fine of up to HK $1,000,000 and to imprisonment for up to 5 years if for gain, and otherwise to a fine of up to HK $500,000 and to imprisonment for up to 3 years).

Data subjects may also sue data users in breach of the PDPO directly for damages suffered, including injury to feeling.

How is electronic marketing regulated?

In addition to the PDPO, unsolicited electronic messages are regulated under the Unsolicited Electronic Messages Ordinance (Chapter 593 of the Laws of Hong Kong). (UEMO)

Note: The UEMO prohibits the sending of “commercial electronic messages” (CEM) except in certain circumstances.  Under the UEMO, a CEM is defined as an electronic message, the purpose or one of the purposes of which is (in the course of or in the furtherance of any business):

  • to offer to supply goods, services, facilities, land, or an interest in land;
  • to offer to provide a business opportunity or an investment opportunity;
  • to advertise or promote goods, services, facilities, land or an interest in land;
  • to advertise or promote a business opportunity or an investment opportunity;
  • to advertise or promote a supplier, or a prospective supplier, of goods, services, facilities, land or an interest in land; or
  • to advertise or promote a provider, or a prospective provider, of a business opportunity or an investment opportunity.

Under the UEMO, CEMs must not:

  • be sent unless the CEM includes accurate sender information;
  • be sent unless the CEM contains an unsubscribe facility;
  • be sent after an unsubscribe request is sent;
  • be sent to an electronic address listed in the do-not-call register;
  • use misleading subject headings; or
  • be sent with calling line identification information concealed
     
Are there any recent developments or expected reforms?

The Privacy Commissioner issued a Guidance Note in 2014 in relation to cross-border transfers of personal data, indicating another step towards bringing Section 33 of the PDPO into force. In January 2020, a consultation paper was issued to discuss proposed amendments to the PDPO.

Global Data Privacy Guide

Hong Kong

(Asia Pacific) Firm Deacons

Contributors Charmaine Koo

Updated 01 Mar 2022