Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Hong Kong was one of the first Asian countries to implement data protection legislation with the enactment of the Personal Data (Privacy) Ordinance (Chapter 486) in 1995. The ordinance was amended in 2012 to reflect international developments and changing technologies. In doing so, a balance was struck between aligning the ordinance with other international practices and maintaining Hong Kong's position as a free and open market. Therefore, unlike many other jurisdictions, Hong Kong has no additional restrictions concerning sensitive data or specific restrictions on the transfer of personal data outside Hong Kong.

Are any changes to existing data protection legislation proposed or expected in the near future?

Changes to the Personal Data (Privacy) Ordinance (Chapter 486) are unlikely in the near future. While there have previously been discussions about enacting Section 33 of the ordinance, the privacy commissioner – who took office in August 2015 – recently indicated that this is unlikely to occur anytime soon. Section 33 has been on the statute books since the Personal Data (Privacy) Ordinance (Chapter 486) was enacted in 1995, but has never been enacted. It contains specific restrictions on the transfer of personal data outside Hong Kong.

The privacy commissioner has announced that in 2016 he will focus on:

  • monitoring the progress of the European Commission's data protection reform and conducting comparative research and analysis on topics such as big data and the Internet of Things;
  • continuing to promote the Privacy Management Programme and launching a recognition scheme to reward companies that adopt good privacy practices in accordance with the Privacy Management Programme;
  • continuing to educate the public about the Personal Data (Privacy) Ordinance (Chapter 486) and the privacy commissioner’s activities by launching a television programme in partnership with Radio Television Hong Kong;
  • supporting the Electronic Health Record Sharing System; and
  • keeping pace with international developments and taking proactive steps to maintain a balance between data protection and the free flow of information.

In light of the above, the privacy commissioner will likely issue further guidelines concerning the use and collection of personal data in the context of big data and the Internet of Things.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The Personal Data (Privacy) Ordinance (Chapter 486) governs the collection, storage and use of personal data.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Personal Data (Privacy) Ordinance (Chapter 486) applies to the collection, processing, storage and use of personal data controlled by any person or entity in Hong Kong. 

What kind of data falls within the scope of the legislation?
 

Any data that relates directly or indirectly to a living individual, from which the identity of the individual can be directly or indirectly ascertained.

Are data owners required to register with the relevant authority before processing data?

There is no legal requirement for a data user to register with the regulatory authority. 

Is information regarding registered data owners publicly available?

Not applicable.

Is there a requirement to appoint a data protection officer?

There is no obligation under the Personal Data (Privacy) Ordinance (Chapter 486) for a data user to appoint a data protection officer. However, it is advisable for data users to have a designated data protection officer as a matter of good practice.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Office of the Privacy Commissioner for Personal Data is the main body responsible for overseeing the enforcement of the Personal Data (Privacy) Ordinance (Chapter 486). The privacy commissioner has various powers, including the right to:

  • issue codes of practice and guidelines in relation to the Personal Data (Privacy) Ordinance (Chapter 486);
  • undertake investigations and inquiries and issue enforcement notices in the event of any breach of the Personal Data (Privacy) Ordinance (Chapter 486);
  • enter any premises for investigation or inspection purposes (subject to certain requirements); and
  • summon and examine the claimant or any person who the privacy commissioner believes has information regarding an investigation and require such persons to provide any information relevant to the investigation.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data can be collected only for lawful purposes that are directly related to a data user’s function or activity. The personal data that is collected must not exceed that which is necessary for such purpose or a directly related purpose.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Data users should retain personal data for no longer than is necessary to fulfil the original collection purpose or a directly related purpose, unless any deletion of the personal data is prohibited by law or it is in the public interest for the personal data to be retained (eg, historical interest).

While there is no retention period specified under the Personal Data (Privacy) Ordinance (Chapter 486), data users should take into account the privacy commissioner’s various guidelines on data retention and the data retention requirements imposed under other statutes or by industry-specific regulators. For example, under the Code of Practice on Human Resource Management (issued by the privacy commissioner in April 2016), employee personal data should be retained for no longer than seven years from the date on which the employment ended. In addition, any personal data pertaining to job applicants should be retained for no longer than two years from the date on which the applicant was rejected.

Data users often retain personal data up to the statute of limitation period for which a claim can be brought by or against them in relation to the data subject – any longer may be difficult for a data user to justify.

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have the right to request access to their personal data to determine whether an organisation holds their personal data. Individuals also have the right to obtain a copy of the personal data (subject to certain exceptions).

Do individuals have a right to request deletion of their data?

There is no express right under the Personal Data (Privacy) Ordinance (Chapter 486) for individuals to request deletion of their personal data. However, individuals have the right to request the correction of their personal data held by a data user, and data users must not retain personal data for longer than is necessary to fulfil the original collection purpose or a directly related purpose. In addition, individuals have the right to request that data users cease using their personal data for certain purposes (eg, direct marketing purposes), which the data user must comply with.

Consent obligations
Is consent required before processing personal data?

Prior express consent is required before personal data can be processed if the personal data will be used or transferred for direct marketing purposes.

If the personal data will be used for any other purpose, consent is required only if the personal data will be used or transferred in a manner that is not covered by the original collection purpose (as communicated to the individual at the time of collection) or a directly related purpose, unless an exemption applies.

If consent is not provided, are there other circumstances in which data processing is permitted?

Personal data can be processed and used without consent if one of the following exemptions applies:

  • The personal data will be used for one of the following purposes and obtaining consent will likely prejudice such purpose:
    • the prevention or detection of a crime;
    • the apprehension, prosecution or detention of offenders;
    • the assessment or collection of any tax or duty;
    • the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct or dishonesty or malpractice by individuals;
    • the prevention or preclusion of significant financial loss arising from imprudent business practices or activities of persons, or the unlawful or seriously improper conduct or dishonesty or malpractice by persons; or
    • the determination of whether the data subject’s character or activities are likely to have a significantly adverse impact on anything to which the discharge of statutory functions by the data user relates;
  • The personal data relates to a data subject’s identity, physical or mental health or location and obtaining consent would likely cause serious harm to the data subject’s physical or mental health or that of another individual;
  • The personal data is required in connection with any legal proceedings in Hong Kong or to establish, exercise or defend any legal rights in Hong Kong; or
  • The personal data will be transferred or disclosed by a data user for the purposes of due diligence relating to a business transaction for the transfer of the business or property of or shares in the data user, or an amalgamation of the data user with another body. However, this is subject to the primary purpose of the proposed business transaction not being the transfer, disclosure or provision of personal data for gain, as well as other requirements imposed by the Personal Data (Privacy) Ordinance (Chapter 486).

What information must be provided to individuals when personal data is collected?

On or before the collection of an individual’s personal data, data users must notify the individual of:

  • the purpose for which the individual’s data is to be collected and used;
  • the classes of person to which the data may be transferred;
  • whether the provision of the individual’s personal data is mandatory or voluntary and, if mandatory, the consequences of failure to do so;
  • the individual’s right to request access to and correction of the personal data; and
  • the name or job title and address of the person whom the individual should contact to request access to or correction of the personal data.

Further notification and consent requirements apply if the personal data will be used for direct marketing purposes. In order to obtain valid consent from an individual for the use or transfer of his or her personal data for direct marketing purposes, a data user must notify the individual of:

  • its intention to use or transfer the personal data for direct marketing purposes and the fact that it may not do so without the individual’s consent;
  • the type of personal data to be used or transferred;
  • the categories of goods, facilities or services that will be offered or advertised (or the purpose for which donations or contributions are being solicited); 
  • the classes of transferee that will be using the personal data for direct marketing purposes (if any), the categories of goods or services that may be marketed by the transferees and whether the data user is transferring the personal data in return for gain; and
  • how the individual can communicate his or her consent without any charge.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Data users must take all practicable steps to ensure that personal data held by them is protected against unauthorised or accidental access, processing, deletion, loss or use. If any personal data is transferred to a data processor, the data user must adopt contractual or other means to ensure that the data processor protects the personal data from any unauthorised or accidental access, processing, deletion, loss or use.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

While there is no statutory requirement to do so, voluntary notification is generally recommended by the privacy commissioner. Industry-specific regulators may also require companies in such regulated industries (eg, financial institutions) to notify individuals of any unauthorised access, use or loss of their personal data. 

Are data owners/processors required to notify the regulator in the event of a breach?

While there is no statutory requirement to do so, voluntary notification is generally recommended by the privacy commissioner. Industry-specific regulators may also require companies in such regulated industries (eg, financial institutions) to notify them in the event of any unauthorised access, use or loss of personal data.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

The Unsolicited Electronic Messages Ordinance (Chapter 563) regulates the sending of commercial electronic messages – including pre-recorded telephone messages, faxes, text messages and emails – for the purpose of offering, supplying or promoting goods, services, facilities, land or business opportunities, among other things. 

Individuals can register their telephone and fax numbers on a ‘do-not-call’ register to stop unsolicited commercial electronic messages from being sent to them. Any party that sends an unsolicited commercial electronic message to a number that is registered on the do-not-call register will be in breach of the Unsolicited Electronic Messages Ordinance (Chapter 563). 

Organisations can send unsolicited commercial electronic messages to any telephone or fax number that is not registered on the do-not-call register, subject to their compliance with the Unsolicited Electronic Messages Ordinance (Chapter 563) and related regulations. For example, a sender must:

  • display its number when sending messages;
  • clearly identify itself and provide contact information in the message; and
  • offer recipients a way to unsubscribe.

Cookies
Are there rules governing the use of cookies?

Cookies are governed by the Personal Data (Privacy) Ordinance (Chapter 486) to the extent that they amount to personal data. If it is reasonably practicable to ascertain an individual’s identity directly or indirectly from the cookies (either individually, combined or with other data), such collection will likely fall within the scope of the Personal Data (Privacy) Ordinance (Chapter 486).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Prior express consent is required before personal data can be processed if the personal data will be used or transferred for direct marketing purposes.

If the personal data will be used for any other purpose, consent is required only if the personal data will be used or transferred in a manner that is not covered by the original collection purpose or a directly related purpose (as notified to the individual at the time of collection), unless an exemption applies.

On or before the collection of an individual’s personal data, data users must notify the individual of:

  • the purpose for which the individual’s data is to be collected and used;
  • the classes of person to which the data may be transferred;
  • whether the provision of the individual’s personal data is mandatory or voluntary and, if mandatory, the consequences of failure to do so;
  • the individual’s right to request access to and correction of the personal data; and
  • the name or job title and address of the person whom the individual should contact to request access to or correction of the personal data.

Further notification and consent requirements apply if the personal data will be used for direct marketing purposes. In order to obtain valid consent from an individual for the use or transfer of his or her personal data for direct marketing purposes, a data user must notify the individual of:

  • its intention to use or transfer the personal data for direct marketing purposes and the fact that it may not do so without the individual’s consent;
  • the type of personal data to be used or transferred;
  • the categories of goods, facilities or services that will be offered or advertised (or the purpose for which donations or contributions are being solicited);
  • the classes of transferee that will be using the personal data for direct marketing purposes (if any), the categories of goods or services that may be marketed by the transferees and whether the data user is transferring the personal data in return for gain; and
  • how the individual can communicate his or her consent without any charge.

The above rules apply in respect of a transfer of personal data to any third party, whether inside or outside Hong Kong.

No specific restrictions are currently in force regarding the transfer of personal data overseas. Section 33 of the Personal Data (Privacy) Ordinance (Chapter 486) – which restricts the transfer of personal data outside Hong Kong – is yet to be enacted.

In 2014 the privacy commissioner issued a non-mandatory guidance note on Personal Data Protection in Cross-border Data Transfers, which provides recommendations on the cross-border transfer of personal data outside Hong Kong, including how to obtain a data subject's consent.

Are there restrictions on the geographic transfer of data?

Please see above.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If a data user engages a third party to process data on its behalf (ie, a data processor), the data user must adopt contractual or other means to prevent:

  • personal data that is transferred to the data processor from being kept for longer than is necessary for the processing of such personal data; and
  • any unauthorised or accidental access, processing, deletion, loss or use of the personal data that is transferred to the data processor.

In September 2012 the privacy commissioner also issued guidelines on Outsourcing the Processing of Personal Data to Data Processors. While the guidelines are non-mandatory, failure to comply may be taken into account by the privacy commissioner when assessing whether a breach of the Personal Data (Privacy) Ordinance (Chapter 486) has occurred.

The guidelines include recommendations on the provisions that should be included in the agreement between a data user and data processor. For example, the agreement should:

  • require the data processor to notify the data user in the event of any suspected unauthorised disclosure, use or loss of the personal data;
  • prohibit the data processor from using the personal data for any purpose other than the purpose for which it was provided; and
  • specify the security measures that the data processor must implement to protect the personal data.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

A breach of the Personal Data (Privacy) Ordinance (Chapter 486) may result in an inquiry and investigation by the privacy commissioner (either by the privacy commissioner’s own initiative or based on a complaint). If the privacy commissioner determines that a data user has breached any of the data protection principles, the privacy commissioner can issue an enforcement notice against the data user requiring it to take certain remedial steps to rectify or prevent any recurrence of the breach. Failure to comply with the enforcement notice constitutes an offence and the data user will be liable on first conviction to a maximum fine of HK$50,000 and a further penalty of HK$1,000 for each day that the offence continues, as well as two years’ imprisonment.

Subsequent repeat contraventions of the Personal Data (Privacy) Ordinance (Chapter 486) similar to that for which an enforcement notice has been issued and complied with constitute an offence (without the need for a new enforcement notice to be issued). This may result in a maximum fine of HK$50,000 and a further penalty of HK$1,000 for each day that the offence continues, as well as two years’ imprisonment. Repeated breaches of enforcement notices will result in higher fines of HK$100,000 and a further penalty of HK$2,000 for each day that the offence continues, as well as two years’ imprisonment.

A breach of the direct marketing requirements under the Personal Data (Privacy) Ordinance (Chapter 486) constitutes an offence and can result in a maximum fine of HK$500,000 and three years’ imprisonment. A breach involving the sale or transfer of personal data to a third party for direct marketing purposes for the data user’s gain can result in a maximum fine of HK$1 million and five years’ imprisonment. 

Other breaches of the Personal Data (Privacy) Ordinance (Chapter 486) may also amount to an offence and incur a fine of HK$10,000. 

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Under Section 66 of the Personal Data (Privacy) Ordinance (Chapter 486), individuals have the express right to seek compensation from a data user for any damage (including injury to feelings) suffered as a result of any breach of the ordinance by the data user. In addition, legal assistance can be granted to such individuals at the privacy commissioner’s discretion.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

No single overarching law specifically governs cybersecurity or cybercrime. Different offences are covered under various statutes (see below).

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Some industry sectors have issued circulars or guidelines concerning cybersecurity. For example, on March 23 2016 the Securities and Futures Commission issued a Circular to All Licensed Corporations on Cybersecurity and on September 15 2015 the Hong Kong Monetary Authority issued a circular on Cybersecurity Risk Management. Such circulars require financial institutions to establish a governance framework, the purpose of which includes:

  • the supervision of cybersecurity management;
  • the enhancement of security architecture to prevent cyber-attacks; and
  • the establishment of adequate incident and crisis management procedures.

Which cyber activities are criminalised in your jurisdiction?

Different cyber offences are covered under various statutes. For example:

  • gaining unauthorised access to a computer for dishonest gain or to cause loss to another is governed by Section 161 of the Crimes Ordinance (Chapter 200);
  • gaining unauthorised access to a computer by telecommunication means is governed by Section 27A of the Telecommunication Ordinance (Chapter 106);
  • destroying or damaging property – including misusing a computer program or data – is governed by Section 60 of the Crimes Ordinance (Chapter 200); and
  • unlawfully causing a computer to function in a way that differs from its original function or altering, erasing or adding any computer program or data is governed by Sections 59 and 60 of the Theft Ordinance (Chapter 210).

Which authorities are responsible for enforcing cybersecurity rules?

With regard to cybersecurity, a company’s relevant industry-specific regulatory authority is responsible for enforcing cybersecurity rules. For example, for financial institutions this is the Securities and Futures Commission and the Hong Kong Monetary Authority.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes – cybersecurity insurance is a growing industry in Hong Kong.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No overarching statute requires companies to keep records of cybercrime threats, attacks and breaches.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

No overarching statute imposes any reporting requirements in regards to cybercrime threats, attacks and breaches. However, industry-specific regulatory authorities may require companies to report such occurrences to them.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No overarching statute imposes any public reporting requirements in regards to cybercrime threats, attacks and breaches. However, industry-specific regulatory authorities may require companies to do so.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

Depending on the type of cybercrime, an offence may incur a prison sentence of up to 10 years or a maximum fine of HK$25,000. 

What penalties may be imposed for failure to comply with cybersecurity regulations?

The relevant industry-specific regulatory authority may take into account non-compliance with any industry-specific cybersecurity guideline or circular as part of its general monitoring of companies, which may result in certain penalties or in worst-case scenarios the withdrawal of any relevant licence.