Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

The Personal Data (Privacy) Ordinance (PDPO) (Cap 486) is the main legislation in Hong Kong that regulates the collection, use, transfer, processing and storage of PI.

The drafting of the PDPO was based upon:

  • the International Covenant on Civil and Political Rights;
  • the European Convention on the Protection of Human Rights and Fundamental Freedoms;
  • the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and
  • EU Directive 95/46/EC.
Data protection authority

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

The Office of the Privacy Commissioner for Personal Data is the main body responsible for overseeing the enforcement of the PDPO and is headed by the Privacy Commissioner for Personal Data (PCPD).

The PCPD has various investigative powers, including the right to:

  • undertake investigations and inquiries and issue enforcement notices in the event of any breach of the PDPO;
  • enter any premises for investigation or inspection purposes (subject to certain requirements);
  • conduct inspections on any PI system (ie, a system, whether or not automated, used in whole or in part, by a data user to collect, hold, process or use PI);
  • summon and examine the claimant or any person who the PCPD believes has information regarding an investigation and require such persons to provide any information relevant to an investigation the PCPD is conducting;
  • apply to court for permission to conduct search and seizure operations for evidence relating to certain doxxing offences;
  • apply to court for an injunction relating to certain doxxing offences;
  • directly prosecute certain doxxing offences, non-compliance with written notices issued by the PCPD and the obstruction of the PCPD’s exercise of its statutory powers; and
  • stop, search and arrest, without a warrant, an individual reasonably suspected to have committed doxxing offences that are directly prosecutable by the PCPD.
Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There is no legal obligation on the PCPD to cooperate with data protection authorities in other jurisdictions.

Breaches of data protection law

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaching the PDPO may result in an inquiry, investigation and, for some doxxing-related offences, direct prosecution by the PCPD (either on the PCPD’s own initiative or based on a complaint).

If a data user is found to have contravened any data protection principles in the PDPO, the PCPD may issue an enforcement notice requiring the data user to take steps to rectify the contravention. Failure to comply with such notice is a criminal offence, with the maximum penalty being a fine of HK$50,000 and two years’ imprisonment (plus HK$1,000 daily if the offence continues). Repeated breaches of enforcement notices will result in higher fines of HK$100,000 and up to two years’ imprisonment (plus HK$2,000 daily if the offence continues). Subsequent repeated contraventions of the PDPO on the same facts after an enforcement notice has been issued and complied with constitute an offence, and no new enforcement notice has to be issued. This attracts a HK$50,000 fine (plus HK$1,000 daily if the breach continues) and two years’ imprisonment.

Contravening other requirements of the PDPO may also constitute an offence. Following the 2013 PDPO amendments, higher penalties have been introduced for breaches of the direct marketing provisions. Additional doxxing-related offences have been introduced following the 2021 PDPO amendments.

In particular, breaching the direct marketing requirements under the PDPO may attract a maximum fine of HK$500,000 and three years’ imprisonment; whereas a breach involving the sale or transfer of PI to a third party for direct marketing purposes for the data user’s gain may attract a maximum fine of HK$1 million and five years’ imprisonment. Similarly, punishable by a fine of up to HK$1 million and five years’ imprisonment is the disclosure of a data subject’s PI:

  • without the data subject’s consent, with the intent to cause harm or recklessness about whether harm could be caused that results in harm caused; or
  • obtained from a data user without the data user’s consent, with the intent of personal gain or to cause loss to the data subject.

 

The maximum penalty for non-consensual disclosure of a data subject’s PI with the intent to cause harm or recklessness about whether harm could be caused (even if no actual harm is caused) is a fine of HK$100,000 and two years’ imprisonment.

Following the 2021 PDPO amendments, the PCPD’s investigation and enforcement powers for doxxing-related offences have been expanded; failure to comply with the PCPD’s written or cessation notices, or obstruction of the lawful exercise of the PCPD’s powers, are now directly prosecutable by the PCPD.

Failure to comply with the PCPD’s written notices requiring the provision of assistance and materials, if done with fraudulent intent, may attract a maximum fine of HK$1 million and two years’ imprisonment. Obstruction of the lawful exercise of the PCPD’s powers is punishable by a maximum fine of HK$10,000 and six months’ imprisonment, while failure to comply with a cessation notice may attract a maximum fine of HK$50,000 and two years’ imprisonment (plus HK$1,000 daily while the offence continues). Subsequent failures to comply with cessation notices will result in a maximum fine of HK$100,000 and two years’ imprisonment (plus HK$2,000 daily if the offence continues).

Other than criminal sanctions, data subjects aggrieved by contravention of the PDPO may seek compensation from the data user through civil action. The PCPD may assist data subjects in their civil action by providing legal advice or other assistance at its discretion.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Personal Data (Privacy) Ordinance (PDPO) regulates both private and public sectors. However, some data users may be exempt from certain requirements under the PDPO, for instance, where PI is held or disclosed:

  • for domestic or recreational purposes;
  • by a court, magistrate or a judicial officer in the course of performing judicial functions;
  • by or on behalf of the government to safeguard Hong Kong’s security, defence or international relations;
  • to prevent or detect crime; or
  • solely for the purpose of news activity.
Interception of communications and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

Electronic marketing activities are regulated by the PDPO if PI is used for ‘direct marketing’ purposes. Marketing through unsolicited electronic messages is regulated under the Unsolicited Electronic Messages Ordinance (UEMO) (Cap 593).

Interception of communications and surveillance conducted by or on behalf of law enforcement officers in Hong Kong is regulated under the Interception of Communications and Surveillance Ordinance (Cap 589) and the National Security Law (officially known as the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region).

Other laws

Are there any further laws or regulations that provide specific data protection rules for related areas?

The Office of the Privacy Commissioner for Personal Data (PCPD) has issued codes of practice, guidance notes and information leaflets that provide data protection guidance concerning specific industry sectors and activities, for instance, employee monitoring and the collection and use of PI through the Internet. Although these guidelines are not legally binding, the PCPD may take into consideration any non-compliance with these guidelines when determining whether a data user has contravened the data protection principles of the PDPO.

PI formats

What categories and types of PI are covered by the law?

The PDPO covers PI in any form in which access to or processing of such data is practicable.

Extraterritoriality

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The PDPO does not have extraterritorial effect and only applies to data users who control the collection, holding, processing or use of PI in or from Hong Kong.

However, the Personal Data (Privacy) (Amendment) Ordinance 2021 has given the PCPD power to serve cessation notices on non-Hong Kong service providers if the PCPD has grounds to believe that there is an electronic doxxing message that the non-Hong Kong service provider is able to control, even if such an action is to be taken outside of Hong Kong.

Covered uses of PI

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The PDPO distinguishes between a ‘data user’ and ‘data processor’. A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of PI; whereas a data processor is a person who processes PI on behalf of another person and does not process the data for any of its own purposes.

The PDPO only regulates data users but not data processors. As a consequence, if a data user engages a data processor to process PI on its behalf, it remains responsible in the event of any breach of the PDPO by its data processor.

Law stated date

Correct on

Give the date on which the information above is accurate.

16 May 2022.