Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The Personal Data (Privacy) Ordinance (PDPO) (Cap 486) is the main legislation in Hong Kong that regulates the collection, use, transfer, processing and storage of personal data.

The drafting of the PDPO was based upon:

  • the International Covenant on Civil and Political Rights;
  • the European Convention on the Protection of Human Rights and Fundamental Freedoms;
  • the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data; and
  • EU Directive 95/46/EC.
Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Office of the Privacy Commissioner for Personal Data is the main body responsible for overseeing the enforcement of the PDPO and is headed by the Privacy Commissioner for Personal Data (PCPD).

The PCPD has various investigative powers, including the right to:

  • undertake investigations and inquiries and issue enforcement notices in the event of any breach of the PDPO;
  • enter any premises for investigation or inspection purposes (subject to certain requirements);
  • conduct inspections on any personal data system (ie, a system, whether or not automated, used in whole or in part, by a data user to collect, hold, process or use personal data); and
  • summon and examine the claimant or any person who the PCPD believes has information regarding an investigation and require such persons to provide any information relevant to an investigation the PCPD is conducting.
Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There is no legal obligation on the PCPD to cooperate with data protection authorities in other jurisdictions.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

A breach of the PDPO may result in an inquiry and investigation by the PCPD (either at the PCPD’s own initiative or based on a complaint).

If a data user is found to have contravened any of the data protection principles in the PDPO, the PCPD may issue an enforcement notice requiring the data user to take steps to rectify the contravention. Failure to comply with the enforcement notice is a criminal offence, punishable by a fine of up to HK$50,000 and imprisonment for up to two years, and a daily penalty of HK$1,000 if the offence continues. Repeated breaches of enforcement notices will result in higher fines of HK$100,000 and imprisonment for up to two years, and a daily penalty of HK$2,000 if the offence continues. Subsequent repeat contraventions of the PDPO on the same facts after an enforcement notice has been issued and complied with, constitutes an offence without the need for a new enforcement notice to be issued. This attracts a HK$50,000 fine (plus HK$1,000 daily if the breach continues) and two years’ imprisonment.

The contravention of other requirements of the PDPO may also constitute an offence. Following the amendments to the PDPO in 2013, higher penalties have been introduced for breaches of the direct marketing provisions.

In particular, a breach of the direct marketing requirements under the PDPO may result in a maximum fine of HK$500,000 and three years’ imprisonment; whereas a breach involving the sale or transfer of personal data to a third party for direct marketing purposes for the data user’s gain may result in a maximum fine of HK$1 million and five years’ imprisonment.

In addition to criminal sanctions, data subjects aggrieved by contravention of the PDPO may also seek compensation from the data user through civil action. In addition, the PCPD may assist data subjects in their civil action by providing legal advice or other forms of assistance at its discretion.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Personal Data (Privacy) Ordinance (PDPO) regulates both private and public sectors. However, some data users may be exempt from certain requirements under the PDPO, for instance, where personal data is held/disclosed:

  • for domestic or recreational purposes;
  • by a court, magistrate or a judicial officer in the course of performing judicial functions;
  • by or on behalf of the government to safeguard Hong Kong’s security, defence or international relations;
  • to prevent or detect crime; or
  • solely for the purpose of news activity.
Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Electronic marketing activities are regulated by the PDPO if personal data is used for ‘direct marketing’ purposes. Marketing through unsolicited electronic messages is regulated under the Unsolicited Electronic Messages Ordinance (UEMO) (Cap 593).

Interception of communications and surveillance conducted by or on behalf of law enforcement officers in Hong Kong is regulated under the Interception of Communications and Surveillance Ordinance (Cap 589) and the National Security Law (officially known as the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region).

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

The Office of the Privacy Commissioner for Personal Data (PCPD) has issued codes of practice, guidance notes and information leaflets that provide data protection guidance concerning specific industry sectors and activities, for instance, employee monitoring and the collection and use of personal data through the Internet. Although these guidelines are not legally binding, the PCPD may take into consideration any non-compliance with these guidelines when determining whether a data user has contravened the data protection principles of the PDPO.

PII formats

What forms of PII are covered by the law?

The PDPO covers ‘personal data’ in any form in which access to or processing of such data is practicable.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The PDPO does not have an extraterritorial effect. It only applies to data users who control the collection, holding, processing or use of personal data in or from Hong Kong.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The PDPO distinguishes between a ‘data user’ and ‘data processor’. A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data; whereas a data processor is a person who processes personal data on behalf of another person and does not process the data for any of its own purposes.

The PDPO only regulates data users but not data processors. As a consequence, if a data user engages a data processor to process personal data on its behalf, it remains responsible in the event of any breach of the PDPO by its data processor.

Law stated date

Correct on

Give the date on which the information above is accurate.

26 May 2021.