Howse Williams
What law(s) specifically govern personal data / information?
Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”).
What are the key data protection principles in this jurisdiction?:
Under s.4(1) of the PDPO, a data user shall not do an act or engage in practice in contravention of any data protection principle (each, a "DPP"), unless such act or practice is otherwise permitted under the PDPO.
There are six DPPs under the PDPO.
DPP 1: Purpose and manner of collection of personal data
Personal data must be collected in a lawful and fair way, for a purpose directly related to a function / activity of the data user.
All practical steps shall be taken to notify the data subjects of the purpose of data collection, and the classes of persons to whom the data may be transferred.
Data collected should be necessary but not excessive.
DPP 2: Accuracy and duration of retention of personal data
Practicable steps shall be taken to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which it is used.
DPP 3: Use of personal data
Personal data is used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent is obtained from the data subject.
DPP 4: Security of personal data
A data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use.
DPP 5: Information to be generally available
A data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used.
DPP 6: Access to personal data
A data subject must be given access to their personal data and to make corrections where the data is inaccurate.
What is the supervisory authority / regulator in charge of data protection?
The Office of the Privacy Commissioner for Personal Data ("PCPD") is the main body responsible for overseeing the enforcement of the PDPO in Hong Kong and is headed by the Privacy Commissioner for Personal Data ("Commissioner").
Is there a requirement to register with a supervisory authority / regulator?
At present, there is no need for data users (i.e. organisations that control the collection and use of personal data) to register with the PCPD.
Pursuant to Part 4 (data user returns and register of data users) of the PDPO, the Commissioner is empowered to specify classes of data users and require them to submit data user returns (such as descriptions of the kinds of personal data held by the data user concerned and the purposes for which they are used). The Commissioner uses the returns to maintain a register of data users containing particulars of the prescribed information supplied by the data users. The Commissioner has the discretion to determine the scope and timing of the introduction of the Data User Returns Scheme (“DURS”).
The PCPD issued a consultation document in July 2011 which sets out the operational framework and implementation plan of the DURS.
However, the PCPD put the DURS on hold during the reform of the European Union’s data protection system, on which the Hong Kong system is modelled. There is no indication as to its implementation as of the date of this writing.
Is there a requirement to notify the supervisory authority / regulator?
There is no requirement to notify the PCPD before collecting and processing personal data.
In the event of data breach, data users are encouraged to notify the PCPD and the effected data subjects, as well as other law enforcement agencies and relevant regulators.
Is it possible to register with / notify the supervisory authority / regulator online?
Yes. The PCPD may be contacted by email or their online forms (e.g. data breach notification).
What are the key data subject rights under the data protection laws of this jurisdiction?
Under the PDPO, data subjects have the express rights to:
- request access to and receive a copy of their personal data;
- request correction of their personal data;
- require a data user to cease using their personal data for direct marketing purposes (regardless of whether the data subject had previously provided their consent to the data user);
- require a data user to cease providing their personal data to any other person for use by that transferee in direct marketing, and to notify such transferee to cease using the transferred data in direct marketing (regardless of whether the data subject had previously provided their consent); and
- seek compensation from a data user for damage (including injury to feelings) suffered as a result of the data user’s breach of the PDPO, which relates to the personal data of the data subject (in whole or in part).
Is there a requirement to appoint a data protection officer (or equivalent)?
The PDPO does not impose a requirement to appoint a data protection officer (or equivalent).
In practice, data users in their personal information collection statements usually identify a person. The person may be described as a data protection officer as a matter of convention (albeit that it is not a legal requirement).
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Privacy impact assessments ("PIA") is not expressly provided for under the PDPO.
In its information leaflet "Privacy Impact Assessments (PIA)", the PCPD encourages the adoption of PIAs as privacy compliance tool before the launch of any new business initiative or project that might have significant impact on personal data privacy.
Does this jurisdiction have any specific data breach notification requirements?
There is no statutory requirement on a data user to inform the PCPD of a data breach incident. However, data users are advised to do so "as a recommended practice for proper handling of such incident" as provided in the PCPD's website. The PCPD’s "Guidance on Data Breach Handling and Data Breach Notifications" ("Guidance") also recommends notifications to law enforcement agencies (other than the PCPD) and any relevant regulator.
The Guidance does not have the force of the law, so a non-compliance with the Guidance in itself would not be a contravention of the PDPO.
What restrictions apply to the international transfer of personal data / information?
S.33 of the PDPO contains restrictions on cross-border data transfers. The PCPD has expressly stated in its guidance that the section will apply to the act of storing personal data outside Hong Kong.
S.33 is not currently in force and no timetable has been set for its implementation as of the date of the writing. Accordingly, Hong Kong does not currently have any restrictions on cross-border data transfers.
Nevertheless, the PCPD’s “Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data” establishes non-binding practice guidance that comply with s.33.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The territorial jurisdiction of the PDPO only extends to a data user who has operations controlled in, or from Hong Kong.
Under the anti-doxxing provisions of the PDPO introduced in 2021, the PCPD may serve a cessation notice on a non-Hong Kong service provider in relation to electronic messages, such as the operator of an overseas social media platform, directing it to take cessation actions pursuant to s.66M(2) of the PDPO.
What rules specifically deal with marketing?
Direct marketing is regulated under Part 6A of the PDPO to the extent that it involves the use of personal data.
The transmission of unsolicited electronic messages (i.e. spamming) is regulated under the Unsolicited Electronics Messages Ordinance (Cap 593) ("UEMO"), enforced by the Office of the Communications Authority ("CA"). The UEMO provides the regulatory framework in Hong Kong for the sending of unsolicited electronic messages that have a commercial purpose, including email messages, SMS, fax messages, and pre-recorded voice messages. The UEMP applies regardless of whether or not personal data has been used by the sender, whereas the direct marketing provisions under the PDPO will only apply where personal data is involved.
Do different rules apply to business-to-business and business-to-consumer marketing?
The PCPD looks at various factors in circumstances of direct marketing to a corporation’s owner or staff to decide whether the direct marketing provision under Part 6A of the PDPO should be enforced.
The PCPD's "Guidance on Direct Marketing" provides that in cases where it is clear that (1) the personal data is collected in the individual’s official capacity; (2) the marketing subjects are exclusively for business use and not for personal use; and (3) the marketing effort is targeted at the individual in their official capacity and not their individual and personal capacity, the requirements for the use or transfer of personal data in direct marketing under Part 6A of the PDPO would not be enforced. In other cases, the provisions in Part 6A should be complied with.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no specific provisions regulating electronic marketing under the PDPO. However, it could fall within the direct marketing provisions of the PDPO given that 'direct marketing means' include
- sending information or goods, addressed to a specific person by name, by mail, fax, electronic mail or other means of communication; or
- making telephone calls to specific persons.
"Direct marketing" under the PDPO does not include unsolicited business electronic messages sent to telephones, fax machines or email addresses without addressing to specific persons by name and person-to-person calls being made to phone numbers randomly generated. Unsolicited electronic messages are regulated under the UEMO by the CA.
Under the UEMO, the CA may establish and keep registers of electronic addresses which are known as 'do-not-call registers'. Individuals who do not wish to receive unsolicited commercial electronic messages can register their fax or telephone numbers on a do-not-call register. There are currently three do-not-call registers in Hong Kong for:
- SMSs and other short messages including multimedia messages and short messages conveyed via online messaging platforms;
- faxes; and
- pre-recorded telephone messages.
What rules specifically deal with cookies?
Cookies can be considered as processing personal data, and therefore, regulated by the PDPO.
If cookies are used to collect behavioural information and it is reasonably practicable to ascertain the identity of the individual directly or indirectly from the information collected, such information would most likely be regarded as "personal data" and regulated under the PDPO.
What are the consequences of non compliance with data protections laws (including marketing laws)?
When the Commissioner receives a complaint or has reasonable grounds to believe there may be a contravention of the PDPO, the Commissioner may investigate the suspected contravention and publish a report setting out the investigation results and recommendations if it is in the public interest to do so. If, upon completion of an investigation, it is found that the relevant data user is contravening or has contravened the PDPO, the Commissioner may issue an enforcement notice to the data user directing remedial and/or preventive steps to be taken.
Contravention of a DPP is not an offence. However, contravention of certain provisions of PDPO is an offence.
The Commissioner may carry out criminal investigation and institute prosecution for offences under s.64 (offences for disclosing personal data without consent) of the PDPO as well as certain relevant offences. Depending on the severity of the cases, the Commissioner will decide whether to exercise the prosecution power in their own name, or refer cases involving suspected commission of other offences to the Police or the Department of Justice for following up.
Amongst the criminal offences under the PDPO, the maximum financial penalty ranges from HK$10,000 to HK$1,000,000 and the maximum imprisonment sentence ranges from 6 months to 5 years. Daily penalty or daily fine could also be imposed for some offences.
Data subjects may also seek compensation by civil action from data users for damage caused by a contravention of the PDPO. The Commissioner may provide legal assistance to the aggrieved data subjects if the Commissioner thinks fit to do so.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
The territorial jurisdiction of the PDPO only extends to a data user who has operations controlled in, or from Hong Kong.
What upcoming data protection developments should multinational organisations be aware of?
The PCPD is working closely with the Hong Kong SAR Government to comprehensively review the PDPO and to formulate concrete proposals for legislative amendments. The proposed amendments include but not limited to:
- establishing a mandatory data breach notification mechanism;
- requiring data users to formulate personal data retention period policies;
- strengthening sanctions and empowering the Commissioner to impose administrative fines;
- introducing direct regulation of data processors; and
- clarifying the definition of personal data.