Organisations in Hong Kong and individuals alike, should take note and ensure they ‘treat data privacy seriously’ following the first criminal conviction for failing to comply with a lawful requirement of the Privacy Commissioner for Personal Data (“Privacy Commissioner”).

The case (decided last month) concerned a director of an employment agency, which was the subject of investigation after a complaint was made alleging personal data had been transferred by the agency to a third party without the complainants consent. In responding to the complaint, the Privacy Commissioner had repeatedly tried to contact the director of the company to obtain further information without success, and eventually issued a summons requiring him to appear for examination.

When the director failed to appear on the required date, the Privacy Commissioner referred the matter to the police for criminal investigation under s.50B(1)(b) of the Personal Data (Privacy) Ordinance (“PDPO”). This section states a person commits a criminal offence where, without lawful excuse, they fail to comply with any lawful requirement of the Privacy Commissioner. The director concerned pleaded guilty to the charge and was fined HK$3,000.

This case is another, in what is now a growing trend in criminal convictions for failure to comply with the PDPO, and is representative of the strict approach the courts are now taking to enforce law. The ruling serves as yet another reminder of the importance organisations should place on data privacy and security, and the need to have internal processes to ensure they are able to fully co-operate with any data privacy investigation in a timely manner.