1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The primary data privacy regulation in Hong Kong is the Personal Data (Privacy) Ordinance (Cap 486) (PDPO). The PDPO was passed in 1995 and took effect on 20 December 1996; it is thus one of Asia's longest-standing data protection laws. The Office of the Privacy Commissioner for Personal Data (PCPD) is the Hong Kong statutory body that enforces the PDPO.

The PDPO has been amended twice:

  • on 1 October 2012 (the Personal Data (Privacy) (Amendment) Ordinance 2012); and
  • on 8 October 2021 (the Personal Data (Privacy) (Amendment) Ordinance 2021 ('2021 amendment').

The 2012 amendment imposed new obligations and penalties for non-compliant transfers of data for direct marketing purposes. It also introduced the criminal offence of 'doxxing': the disclosure of personal data without consent.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Various industries in Hong Kong are subject to sector-specific data protection regulations, such as banking, financial services, insurance and telecommunications.

The Hong Kong Securities and Futures Commission (SFC) has rules providing for data protection that comport with the PDPO. The SFC requires SFC-licensed corporations and individuals to comply with data protection rules and acts as an industry regulator to push for such compliance. However, the PCPD is the primary PDPO regulator.

In practice, the SFC collaborates with the Hong Kong Monetary Authority (HKMA) when taking disciplinary action in relation to data breaches. The HKMA will typically refer matters for further investigation to:

Regarding specific data types, stricter statutory requirements exist in relation to personal data used for direct marketing arising from the 2012 amendment. The PCPD has numerous non-legally binding guidelines indicating that certain types of personal data are deemed sensitive and should be handled with extra caution – for example, identity card numbers and biometric data. While compliance with such non-binding guidelines is not mandatory, the PCPD and Hong Kong courts may consider such non-compliance in determining whether there has been a violation of the PDPO.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Other than the extraterritorially applicable data privacy regulations of the other jurisdictions that may apply to organisations in Hong Kong, we are unaware of bilateral or multilateral data privacy instruments to which Hong Kong is a party in this respect. The EU General Data Protection Regulation (GDPR) applies to organisations in Hong Kong that offer goods or services to individuals in the European Union or that monitor their behaviour. Additionally, China's new Personal Information Protection Law, effective as of 1 November 2021, is also extraterritorial and – like the GDPR – applies to organisations in Hong Kong that offer goods or services to individuals in China, or that monitor their behaviour.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The PCPD enforces the PDPO in Hong Kong.

Section 38 of the PDPO empowers the PCPD to investigate data users when it receives a complaint or has reasonable grounds to believe that an act or practice has contravened the PDPO. The PCPD can also publish reports setting out investigation results and recommendations if it is in the public interest to do so.

Section 36 of the PDPO empowers the PCPD to inspect any personal data system used by a data user to obtain information to assist the PCPD in making recommendations for PDPO compliance.

Under Section 41 of the PDPO, the PCPD must generally provide prior written notice to a data user of its intention to carry out an inspection or investigation, unless it has reasonable grounds to believe that such notice may prejudice the investigation.

Additionally, the 2021 amendment empowers the PCPD to conduct criminal investigations directly, but only in relation to doxxing. The PCPD can serve cessation notices to demand cessation or restriction of doxxing content.

If an investigation confirms that a data user has contravened the PDPO, the PCPD may serve an enforcement notice on the data user and direct it to take necessary steps to remedy the infringement or instigate a prosecution action. Failure to comply with the PCPD's remediation directions or the requirements of the PDPO constitutes a criminal offence per Sections 50A and 50B of the PDPO. Flouting an enforcement notice can result in fines of between HK$50,000 and HK$100,000 and imprisonment for up to two years, plus daily penalties for non-compliance.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

The PCPD has issued various codes of practice and guidance in relation to the requirements of the PDPO. While not legally binding, a breach of these codes and guidelines by a data user may give rise to a presumption against the user in any legal proceedings under the PDPO, unless evidence exists that the data user otherwise complied with the PDPO while contravening the code of practice. The PCPD has also published several guidance notes, which are referred to as 'good practice recommendations'. As the PDPO is rather broad, most non-generalised compliance practices are on a good-faith, good-practices basis.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

All individuals, legal persons and other entities within Hong Kong.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The Personal Data (Privacy) Ordinance (PDPO) grants certain exemptions – generally in the public interest or in certain other specific circumstances, including:

  • crime prevention or prosecution;
  • statistics and research;
  • legal professional privilege;
  • due diligence exercises in connection with proposed business transactions; and
  • the protection of the physical and mental health of a data subject.

An exemption also exists if the use of personal data:

  • is required or authorised by law;
  • is required or authorised by court order; or
  • is required to exercise or defend legal rights in Hong Kong.

Such exemptions may be defences or mitigations for data users that fail to comply with PDPO compliance obligations.

Examples of exemptions provided by the PDPO include the following:

  • A Hong Kong law or court order requires or authorises the data use (Part 8, Section 60(B) of the PDPO);
  • The data use is required in connection with legal proceedings in Hong Kong or to exercise or defend legal rights in Hong Kong (Part 8, Section 60(B) of the PDPO);
  • The data is collected for the purpose of due diligence in connection with a proposed share sale, asset sale or merger (Part 8, Section 63(B) of the PDPO);
  • The data is collected or used in emergencies or life-threatening situations (this also results in an exemption from the PDPO provisions on notice) (Part 8, Section 63(c) of the PDPO); or
  • The data is collected for the purpose of preparing statistics or carrying out research (provided that the organisation does not publish identifying information of any data subject) (Part 8, Section 62 of the PDPO).

2.3 Does the data privacy regime have extra-territorial application?

The PDPO does not apply extraterritorially. Although Section 33 of the PDPO contains language that would restrict cross-border transfers, it has never been ratified. The PDPO generally applies only to the acts of data users within Hong Kong. However, the 2021 amendment related to doxxing (see question 1) has an as-yet untested extraterritorial effect, to the extent that it allows the Office of the Privacy Commissioner for Personal Data to issue notices demanding overseas entities to remove doxxing content or, in extreme cases, to restrict access to users from Hong Kong.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

There is no statutory definition of 'data processing'. The term is defined literally and refers to the processing or handling of data.

(b) Data processor

Natural or legal persons that process personal data on behalf of data users and not for their own purposes pursuant to Schedule 1, Principle 2(4) of the Personal Data (Privacy) Ordinance (PDPO).

(c) Data controller

There is no statutory definition of 'data controller'. Its equivalent term under the PDPO is 'data user' which, in relation to personal data, means a person that, either alone, jointly or in common with other persons, controls the collection, holding, processing or use of data under Section 2 of the PDPO.

(d) Data subject

In relation to personal data, a 'data subject' is the individual who is the subject of the data under Section 2 of the PDPO.

(e) Personal data

Any data:

  • relating directly or indirectly to a living individual;
  • from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
  • in a form in which access to or processing of the data is practicable under Section 2 of the PDPO.

(f) Sensitive personal data

There is no statutory definition of 'sensitive personal data' (non-binding guidelines further detailed in question 5.3 below advocate that identity card numbers and biometric data be considered 'sensitive').

(g) Consent

Consent must be express and voluntary. The definition excludes any consent that has been withdrawn by written notice to the person to whom the consent was given, but includes acts done pursuant to the consent before the consent was revoked per Section 2 of the PDPO.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The main focus of the 2021 amendment to the PDPO is 'doxxing', defined in the PDPO as the disclosure of personal data of another person without consent, done recklessly or with intent to cause specified harm to the person or their family members. The scope and definition of 'specified harm' includes:

  • harassment;
  • molestation;
  • pestering;
  • threat;
  • intimidation;
  • bodily or psychological harm; and
  • damage to property.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

No. Furthermore, data processors are not considered data users and are therefore not regulated by the Personal Data (Privacy) Ordinance.

4.2 What is the process for registration?

Not applicable.

4.3 Is registered information publicly accessible?

Not applicable.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

Six Data Protection Principles (DPPs) widely regulate all aspects of the processing of personal data. DPP3, concerning the use of data, prohibits the use of personal data for "any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject's express and voluntary consent".

Furthermore, Part 6A of the Personal Data (Privacy) Ordinance (PDPO) requires data users to obtain informed consent for the use of personal data for direct marketing or transferring data for direct marketing. Silence does not constitute consent; therefore, consent cannot be tacit under the PDPO. The use of personal data in direct marketing without the consent of the data subject is a criminal offence that may result in a fine of up to HK$500,000 and up to three years' imprisonment.

Aside from the more stringent requirements for data used for direct marketing purposes, processing data under the PDPO is consent based and covers consent from both data users and data subjects. The statutory requirements do not vary depending on the type of data processed.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

Data users must comply with the six DPPs when processing data. These do not vary depending on the type of data processed and apply broadly to all data that falls within the ambit of 'personal data' as defined in question 3.1(e). The DPPs also do not apply to outsourced data processing, as data processors are not regulated by the PDPO, except in the case of the transfer of data for direct marketing purposes as described in question 5.1. Data users must use contractual or other means to ensure that outsourced data processors comply with the PDPO.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

As highlighted in question 1.5, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued several codes of practice and guidance notes that serve as best practices guidelines for all data users, but these are not legally binding. Codes of practice and guidelines pertaining to best practices for the collection and processing of Hong Kong identity card numbers, personal identifiers and biometric data include:

In accordance with the DPPs, the PCPD suggests that biometric data and other more personal data only be collected where necessary.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Third parties are not directly regulated under the Personal Data (Privacy) Ordinance (PDPO). Data users that engage third parties are directly liable for any breaches of the PDPO requirements. However, data users must use contractual or other means to ensure that third parties comply with the PDPO.

As to data used in direct marketing, a data user that transfers such data to a third party in return for consideration and without consent commits a criminal offence and may be liable for fines of up to HK$1 million and up to five years' imprisonment.

Notably, the banking and insurance sectors set out stricter requirements for the engagement of third-party data processors, including obligations to ensure that:

  • any outsourced data processor has appropriate controls to protect personal data; and
  • data subjects are notified of such outsourcing and transfer.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

There are no requirements and restrictions in force. Further to question 2.3, to date, Section 33 has not been ratified. Instead, the six Data Protection Principles (DPPs) apply in a general sense when transferring data abroad, such as DPP3, which provides that the purpose of the transfer must be the same purpose for which the data was collected.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

The Office of the Privacy Commissioner for Personal Data has issued a non-binding guideline on Outsourcing the Processing of Personal Data to Data Processors. Data users are advised to take steps to:

  • notify the data subject if there is any potential unauthorised disclosure, use or loss of personal data;
  • give the data user rights of audit and inspection regarding how the third party handles and stores personal data;
  • prohibit the third party from:
    • further transferring the personal data to other parties unless the data subjects' consent is obtained; or
    • using the personal data for undisclosed purposes;
  • set out security measures that the third party must deploy and have a mechanism to ensure compliance with those measures;
  • require the third party to return or destroy the personal data when it is no longer needed; and
  • specify the consequences in case of non-compliance.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Data Protection Principle (DPP) 1 provides that data users must inform data subjects of the following information before or at the time of collecting personal data:

  • whether it is mandatory to provide personal data and the results of failure to provide such data, which may be implied or expressly specified;
  • the purposes of collecting and using the personal data, which must be expressly specified; and
  • the class of persons to which the personal data may be transferred, which must be expressly specified.

Further, data users must:

  • specify the rights of data subjects to access or correct their personal data; and
  • provide the contact information of the data user for these purposes.

The Personal Data (Privacy) Ordinance (PDPO) exempts data users from the notice requirement if it would prejudice the purpose of data collection or in specified cases where the PDPO provides an exemption as to the access rights of the data subjects. These exemptions include:

  • investigations by law enforcement;
  • issues of national security;
  • investigations in relation to employment issues such as misconduct and eligibility to certain entitlements; and
  • where data users obtain unsolicited personal data.

The rights of data subjects to request access to their personal data supplied and the correction of the same are also embodied in DPP6 of the PDPO.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Pursuant to Section 20(3)(e) of the PDPO, data subjects must make requests to access or correct their personal data supplied by using the Data Access Request Form provided by the Office of the Privacy Commissioner for Personal Data (PCPD).

Section 19 of the PDPO further provides that once the form is submitted, the data user must process such requests within 40 days of receipt. If the data user fails to do so, it must inform the data subject and respond to the request at its earliest convenience. Data users may charge data subjects a reasonable fee for handling such requests.

The PDPO does not entitle data subjects to delete the personal data they supply to data users. However, data users must take all practical steps to erase personal data when it no longer serves the initial purpose of collection and use, unless it is in the public interest not to delete the data or where the law requires otherwise, as in Section 26(1) of the PDPO.

7.3 What remedies are available to data subjects in case of breach of their rights?

Data subjects may complain to the PCPD in case of a breach of their rights. Upon receiving a complaint and establishing a prima facie case, the PCPD will then investigate the matter. Under Section 50 of the PDPO, if the PCPD identifies a contravention of the PDPO, it may then issue an enforcement notice against the data user, which will require the data user to take steps to remedy the situation and institute measures and precautions to prevent the breach from reoccurring. Certain breaches may subject the data user to criminal fines and/or imprisonment, such as those explained in questions 1.4, 5.1 and 6.1.

Data subjects also have a right to institute court proceedings to seek damages in respect of breaches to personal data and privacy, including damages for injury to feelings. In this regard, the PCPD may assist data subjects by giving legal advice or arranging for legal representation if a significant question of principle is involved.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

There is no statutory requirement for a data user to appoint a data protection officer. However, Data Protection Principle (DPP) 1 requires a data user to explicitly inform a data subject of the name and address of the person to whom data access requests should be submitted; although this person need not formally be a data protection officer.

According to Privacy Management Programme – A Best Practice Guide, issued in February 2014 and revised in March 2019, which is not legally binding, the Office of the Privacy Commissioner for Personal Data (PCPD) encourages organisations to appoint a designated person to "oversee the organisation's compliance with the Personal Data (Privacy) Ordinance".

8.2 What qualifications or other criteria must the data protection officer meet?

There are no regulatory qualifications or criteria set out for a data protection officer.

Privacy Management Programme – A Best Practice Guide suggests that the role of a data protection officer:

  • may or may not be full time;
  • could be filled by a senior executive or manager of an organisation; and
  • in certain circumstances, could be supported by other dedicated staff.

8.3 What are the key responsibilities of the data protection officer?

As mentioned in question 8.1, the only statutory duty of a person in a similar position is to accept and handle data access requests.

Privacy Management Programme – A Best Practice Guide suggests that the data protection officer is responsible for:

  • designing, establishing and implementing a "privacy management programme", which may include training, monitoring/auditing, documenting, evaluation and ongoing assessment and revision of the programme;
  • representing the organisation in the event of any enquiries, inspection or investigation by the PCPD; and
  • advocating for personal data protection within the organisation.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

There are no such requirements or restrictions as to the appointment of a data protection officer; however, Privacy Management Programme – A Best Practice Guide generally suggests the appointment of a member of management or an executive to assume the responsibilities of a data protection officer.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

There are no requirements on record keeping and documentation. However, Privacy Management Programme – A Best Practice Guide suggests that the data protection officer:

  • maintain a record of the organisation's personal data inventory; and
  • initiate and monitor an "annual personal data inventory review exercise" to ensure that all personal data is properly recorded.

The guide also encourages the inventorying of personal data, which should include:

  • the means of collecting personal data;
  • the kinds of personal data collected;
  • storage locations;
  • the duration of retention;
  • the methods of using personal data; and
  • data security measures.

There are no requirements or criteria for this inventory, and it is suggested that it can vary on a case-by-case basis. Organisations may consider the need for different inventories for different departments.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

As the PDPO's requirements (other than those relating to direct marketing) apply in a general manner in accordance with the DPPs, nearly all specific compliance-related activities regarding data privacy in Hong Kong are handled in a good-faith, good-practice context.

Privacy Management Programme – A Best Practice Guide sets out further suggestions, such as:

  • creating and enforcing internal policies on personal data handling;
  • training and notifying employees about personal data policies; and
  • providing general personal data privacy protection training and education to all employees.

The PCPD also strongly advocates for regular assessments and reviews of any policies and the entire privacy management programme.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

The Data Protection Principles (DPPs) outline data users' and processors' main obligations throughout the collection, use and handling of personal data. DPP4 on data security provides that data users "must take all practicable steps" to protect personal data against unauthorised or accidental access, processing, erasure, loss or use. Data users should consider:

  • the nature of the data;
  • potential harm if a data incident occurs; and
  • measures taken to ensure the "integrity, prudence and competence" of persons that have access to the data, such as external or third-party data processors.

As data processors are not directly regulated by the Personal Data (Privacy) Ordinance, data users are encouraged to contractually ensure that data processors adhere to and comply with the requirements under DPP4.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

There is no statutory requirement for reporting data breaches to the Office of the Privacy Commissioner for Personal Data (PCPD); however, this is encouraged by the PCPD as good practice in the Guidance on Data Breach Handling and the Giving of Breach Notifications (which is not legally binding).

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

There is no statutory requirement to report data breaches to any affected data subjects. Notably, data users can submit a Data Breach Notification Form to the PCPD directly to report a data breach, which can operate as a complaint against the organisation and prompt the PCPD to conduct an enquiry or investigation of the incident.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

The PCPD suggests that organisations conduct proper investigations into data breaches to pinpoint insufficiencies or inadequacies in the process of handling personal data or security measures deployed. Reviews should be conducted, and may include:

  • improvements to data security;
  • control of access rights granted to individuals with access to personal data;
  • adequacy of any IT security measures;
  • revision or promulgation of privacy policies;
  • on-the-job privacy and protection awareness training;
  • the appointment process for data processors; and
  • regular reviews of contractual terms to ensure compliance and potentially enforce obligations to report any data breaches.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

The Office of the Privacy Commissioner for Personal Data (PCPD) issued a Code of Practice on Human Resource Management in April 2016, which applies to all data users that handle personal data of prospective, current or former employees. The provisions of the code are mandatory, but not statutory. Consequently, non-compliance may give rise to presumptions against the employer or contracted third parties in any proceedings involving an alleged breach of the Personal Data (Privacy) Ordinance (PDPO) and will also weigh against the party under investigation by the PCPD.

Employers must provide employees with a personal information collection statement pertaining specifically to their employment. Further, employers are not allowed to disclose employment-related data to third parties without the express and voluntary consent of the employee, unless:

  • the disclosure is for purposes directly related to employment; or
  • the disclosure is required by law or statutory authorities.

There are specific retention periods:

  • no longer than two years for job applicant recruitment-related data from the date of rejection; and
  • no longer than seven years for employment-related data from the date employment ceases.

These retention periods can be exempted if:

  • express consent has been received;
  • there is a reason that requires the employer to retain such data (eg, contractual or legal obligations); or
  • retention is directly required to manage the relationship between the employer and a former employee.

Employees should also be regularly informed of personal data retention policies.

Additionally, ordinances other than the PDPO may impose obligations upon employers in relation to certain types of data, such as the Immigration Ordinance (Cap 115), which requires employers to record the type of identity documentation and corresponding identity number held by an employee in relation to employability. An employer must also disclose such information when requested by a labour inspector.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

There are no specific statutory requirements or restrictions on employee monitoring and surveillance; instead, the PDPO applies generally. The PCPD issued the Privacy Guidelines: Monitoring and Personal Data Privacy at Work in December 2004, which set out practical guidance for employers in assessing whether employee monitoring is appropriate and how to ensure that monitoring is compliant with the PDPO. The guidelines are not legally binding and employers retain the right to decide whether to adopt them.

The Code of Practice on Human Resource Management, which is legally binding, stipulates that:

  • employers should not collect information about employees which is excessive in relation to the purpose for which it is collected; and
  • in collecting information, employers must ensure that the means are fair.

The code suggests that electronic surveillance of employees at work, such as biometric surveillance, may be unfair if there are less intrusive means of accomplishing the objective. It is encouraged, as good practice, to notify employees in writing of specific techniques used to monitor their performance.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

Employers are generally encouraged to ensure that employees are well informed of all personal data policies. The Code of Practice on Human Resource Management sets out mandatory provisions in relation to recruitment, current employees and former employees. Furthermore, the PCPD suggests (as good practice) that employers ensure that all notification requirements regarding the collection of employment-related personal data are complied with by incorporating them into the personal information collection statement, which should be attached to or integrated into standard employment forms, such as job application forms.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There are no specific statutory requirements and restrictions that apply specifically to the use of cookies; instead, the Personal Data (Privacy) Ordinance (PDPO) applies generally. Whether cookies constitute personal data depends on whether the cookies contain data that relates to a living individual and can identify the living individual.

It is suggested in the Guidance for Data Users on the Collection and Use of Personal Data through the Internet that it is good practice to explicitly state the information stored in any cookies. In the case of third-party cookies, the following should be clearly stated:

  • the type of information collected;
  • to whom the information is transferred; and
  • the purposes of such transfer.

It is also suggested that:

  • whether the acceptance of cookies is mandatory or voluntary should be clearly stated;
  • data subjects should be provided with clear information of the consequences of not accepting cookies;
  • a reasonable expiry date for cookies should be set;
  • the contents should be encrypted where appropriate; and
  • techniques that may bypass a data subject's wishes to disable or reject cookies should not be deployed.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

There are no specific statutory requirements and restrictions that apply specifically to cloud computing; instead, the PDPO applies generally. The Office of the Privacy Commissioner for Personal Data (PCPD) issued an information leaflet on cloud computing which advises organisations and data users on how the PDPO generally applies to cloud computing and the protection of data privacy in engaging cloud computing.

Data users must protect and prevent misuse of personal data in accordance with the Data Protection Principles and Section 65(2) of the PDPO, including where personal data is outsourced to cloud computing providers. The cloud computing leaflet draws special attention to:

  • rapid transborder data flows;
  • loose outsourcing arrangements;
  • standard services and contracts; and
  • service and deployment models.

Ultimately, data users are legally responsible for the protection of personal data, even if it is outsourced to cloud providers.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The PCPD has issued an information leaflet on Online Behavioural Tracking. It recommends fair and transparent practices to data users in relation to online tracking, which may include:

  • the retention of information on user preferences;
  • the establishment and management of a user's logged-on identity; and
  • behaviour and preference tracking to build profiles for marketing and advertising information.

Organisations are generally advised by the PCPD to carefully assess any information collected virtually, even if the types of information on their own do not strictly contain unique identifiers, because online and networked tracking often results in the collection of a complex set of identifiers that may be used to collectively ascertain the identity of an individual, which would then fall under the general requirements and restrictions of the PDPO.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Data privacy disputes between data users and individuals are generally handled by the Office of the Privacy Commissioner for Personal Data (PCPD), which may conduct investigations against relevant data users either upon complaint from an individual or where there are reasonable grounds to believe that a data user has contravened the Personal Data (Privacy) Ordinance (PDPO). Further, the right to damages regarding an individual's right to privacy is well recognised by the Hong Kong courts. Data privacy disputes therefore typically manifest either as complaints to the PCPD or as actions for damages by affected data subjects.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Data privacy disputes may typically include data access requests or claims for defamation and damages. Section 66 of the PDPO provides that individuals who suffer damage due to a contravention may be entitled to compensation from the relevant data user. Damage has been established to include injury to feelings. In resolving disputes, the Hong Kong courts may consider the Data Protection Principles and whether a data user reasonably complied with them in resolving disputes.

Where the PCPD investigates a potential contravention of the PDPO, it generally resolves most complaints by conciliation upon receipt of timely remedial actions taken or undertaken by parties being complained against, without the need for a warning or enforcement notice. An enforcement notice served by the PCPD will require the data user to remedy and prevent the recurrence of the contravention, which will generally involve the relevant data user adjusting its data privacy systems and policies, and possible compensation. Failure to comply with an enforcement notice is an offence.

12.3 Have there been any recent cases of note?

Rather than being of note, the recent case of Tsang Po Mann v Tsang Ka Kit [2021] 2 HKLRD 1310 further established the Hong Kong courts' recognition of the right of privacy, in awarding the plaintiff HK$70,000 for injury to feelings due to the defendant's encroachment of her privacy by breaching Section 66 of the PDPO. The defendants sent an anonymous letter to the plaintiff's employers/colleagues and included collages of still images from closed-circuit television (CCTV) footage and made accusatory statements about the plaintiff. While the claim for defamation failed, the plaintiff was able to successfully claim compensation for misuse of the personal information collected from the CCTV footage.

Furthermore, the first arrest for a suspected doxxing offence under Section 64(3A) of the PDPO (arising under the 2021 amendment) was made on 13 December 2021, which related to a monetary dispute between the suspect and the victim.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The 2021 amendment to the Personal Data (Privacy) Ordinance (PDPO) is only the second major amendment made to the PDPO since its implementation. Alongside the 2021 amendment, there were five further proposed amendments, including:

  • mandatory data breach notifications;
  • additional regulations on data retention periods;
  • sanctioning powers for the Office of the Privacy Commissioner for Personal Data;
  • direct regulation of data processors; and
  • further definitions of 'personal data."

All the proposed amendments were made with reference to global standards of data privacy law, particularly the GDPR as well as Canadian and New Zealand data privacy legislation. However, none of these proposed amendments were given a timeline for passage.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Hong Kong statutory requirements for data privacy are minimal and general. Many requirements are simply recommendations to act in good faith or use good practices. Data users and organisations are recommended to aim to adhere to higher standards, such as the EU General Data Protection Regulation and China's Personal Information Protection Law, rather than the Personal Data (Privacy) Ordinance alone. Furthermore, many of Hong Kong's data protection requirements are scattered throughout codes of practices laid out by the Office of the Privacy Commissioner for Personal Data (PCPD) and other government bureaux, such as the Hong Kong Securities and Exchange Commission, or certain industry sector regulators, such as in banking or insurance. Data users and organisations should ensure that they review and check guidelines and regulations not only issued by the PCPD, but also relevant authorities and industry bodies that oversee and/or regulate their areas of business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.