Publication
Contacts
Linklaters LLP
Alex Roberts
Tel: +8621 2891 1842
www.linklaters.com
Supervisory Authority
Privacy Commissioner
National Legislation
PDPO
Cap. 486 Personal Data (Privacy) Ordinance (elegislation.gov.hk)
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
The Personal Data (Privacy) Ordinance (the “PDPO”) which contains the Data Protection Principles (the “DPP”).
There is no single ordinance that addresses cybersecurity, though other ordinances such as the Telecommunications Ordinance address issues such as unauthorised access to computers. This summary does consider specific cybersecurity laws.
In addition, certain sector-specific laws and guidelines include provisions relating to the protection of certain personal data and/or cybersecurity matters. For example, the Hong Kong Monetary Authority has issued its Supervisory Policy Manual SA-2 (Outsourcing) which deals with data privacy protections in the context of an authorised institution’s outsourcing arrangements and various non-binding cybersecurity guidelines for authorised institutions, such as Cyber Resilience Assessment Framework and cybersecurity guidelines covering the use of banking services and stored value facilities. The Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage. The Office of the Government Chief Information Office (“OGCIO”) has issued guidelines on cybersecurity controls This summary does not consider these sector-specific laws and guidelines.
Entry into force
The majority of the provisions of the PDPO came into force on 20 December 1996. The PDPO was significantly amended by the Personal Data (Privacy) (Amendment) Ordinance 2012 (“2012 Amendments”) and the Personal Data (Privacy) (Amendment) Ordinance 2021 (“2021 Amendments”). Notably, the 2012 Amendments which came into effect on 1 April 2013 established a direct marketing regime, and the 2021 Amendments (which came into effect on 8 October 2021) made substantial additions to criminalise doxxing acts and empower the Privacy Commissioner with related enforcement powers.
Details of the competent national supervisory authority
Office of the Privacy Commissioner for Personal Data (the “Privacy Commissioner”)
Unit1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East
Wanchai, Hong Kong.
Telephone: +852 2827 2827
Notification or registration scheme and timing
There is no legal requirement to notify the Privacy Commissioner in respect of any collection or use of personal data.
However, for “matching procedures” (i.e. comparison of two sets of personal data not carried out by manual means and each collected for different purposes and involving 10 or more data subjects which end results may be used for taking adverse actions against individuals), organisations can choose to obtain consent from the Privacy Commissioner to carry out such procedures in lieu of obtaining individual express consents.
There is a Data User Return Scheme under the PDPO. This requires specified organisations to notify the Privacy Commissioner of "prescribed information" including the kinds of personal data they control and the purposes for which the personal data are collected, held, processed or used. However, the Privacy Commissioner put the Data User Return Scheme on hold during the reform of the European Union’s data protection system, on which the Hong Kong system is modelled. As the GDPR removed registration requirements and the focus of the Privacy Commissioner is now on the implementation of accountability principles and privacy management programmes, it is unclear whether the Privacy Commissioner will continue to implement the Data User Return Scheme.
Exemptions to notification
Not applicable.
What is the territorial scope of application?
The PDPO applies where the data user in question controls the collection, holding, processing or use of personal data in or from Hong Kong even if the data processing cycle occurs outside Hong Kong. The PDPO does not contain any express provisions conferring extra-territorial application.
Is there a concept of a controller and a processor?
Yes, but the terminology is different. Data processors (being a person who processes personal data on behalf of another person instead of for his/her own purpose(s)) are not directly regulated under the PDPO. Instead, data users (which are akin to data controllers under GDPR are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO. Data users are liable for the acts and omissions of their data processors.
Are both manual and electronic records subject to data protection legislation?
The PDPO applies to both manual and electronic records as long as they contain personal data.
Are there any national derogations?
The PDPO contains: (i) general exemptions from the DPPs for personal data held for domestic or recreational purposes; (ii) exemptions from access requirements (i.e. DPP6) for certain employment-related personal data and relevant processes or where the access to personal data will derogate legal professional privilege or the right against self-incrimination; and (iii) exemptions from use limitations and access requirements (i.e. DPP3 and DPP6) in a wide range of situations.
A non-exhaustive list of the more common exemptions from use limitations and access requirements includes: (i) for the purpose of safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection; (ii) assessment or collection of any tax or duty; (iii) prevention of unlawful or seriously improper conduct (iv) news activities; (v) legal proceedings; (vi) due diligence exercises; and (vii) life-threatening emergency situations.
What is personal data?
The PDPO defines personal data to mean any data relating directly or indirectly to a living individual from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.
Is information about legal entities personal data?
No. However, information about individuals employed by legal entities, including sole proprietors and partnerships may be treated as personal data if such information satisfies the definition of personal data.
What are the rules for processing personal data?
Data users are required to comply with the six DPPs.
DPP1 provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that data subject.
DPP2 provides that personal data should be accurate, up-to-date and kept no longer than necessary.
DPP3 provides that personal data should only be used (including disclosure or transfer) for the purposes for which they were collected or a directly related purpose. A data user is required to obtain the “prescribed consent” of the data subject if the data user intends to use (including to disclose or transfer) the personal data for purposes other than those for which the data were originally collected or for a directly related purpose.
DPP4 requires appropriate security measures to be applied to personal data.
DPP5 requires that data users provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.
DPP6 provides for data subjects to have rights of access to and correction of their personal data.
Are there any formalities to obtain consent to process personal data?
Prescribed consent is defined in the PDPO to mean the express consent of the data subject which has been given voluntarily and not withdrawn in writing.
Prescribed consent is required pursuant to DPP3 if a data user intends to use (including to disclose or transfer) the personal data for purposes other than those for which the data were originally collected or for a directly-related purpose.
Are there any special rules when processing personal data about children?
If the data subject is a minor (i.e. under the age of 18) and prescribed consent is required from the minor in accordance with DPP3, then in appropriate circumstances, a person with parental responsibility for the minor may give the prescribed consent on behalf of the minor.
Are there any special rules when processing personal data about employees?
The DPPs generally apply equally in an employment context and the Privacy Commissioner has published specific codes of practice and/or guidelines in relation to human resource management and monitoring and personal data privacy at work. However, the PDPO contains exemptions from access requirements (i.e. DPP6) for certain employment-related personal data and relevant processes. These exemptions allow employers to refuse access by employees to their personal data relevant to staff planning proposals or employment-related evaluative processes (against which the relevant employee has a right to appeal and for as long as the relevant process is on-going and a determination is yet to be made). Examples of such evaluative processes include disciplinary proceedings, promotion exercises or evaluative processes concerning the employee’s continuing employment. However, the appeal period is not considered as part of such relevant process. Therefore, an employer who receives a data access request by an employee after the determination of the relevant process (but before any appeal) should still comply with a data access request.
What is sensitive personal data?
There is no concept of “sensitive” personal data under the PDPO.
However, the Privacy Commissioner has issued Codes of Practice setting out specific requirements in respect of certain types of personal data such as identity card numbers, personal identifiers and consumer credit data. The Privacy Commissioner has also indicated that biometric data should only be collected where it is necessary and with the consent of the data subject.
Are there additional rules for processing sensitive personal data?
In addition to complying with the DPPs, the Codes of Practice set out additional requirements in respect of the collection, use, retention and deletion of specific types of personal data. Breaching a Code of Practice does not, of itself, render a data user liable to any proceedings but evidence of such a breach is admissible in proceedings and gives rise to a presumption against the data user in such proceedings under the PDPO.
Are there additional rules for processing information about criminal offences?
In terms of general privacy obligations, the rules are the same as for personal data generally. However, note that the Rehabilitation of Offenders Ordinance (“ROO”) prohibits disclosure of spent convictions contained in any records kept by a public officer and contravention may result in a criminal fine of up to HK$25,000. Under the ROO, job candidates with spent convictions are not required to disclose spent convictions unless exemptions apply, e.g. the application is for admission as barrister, solicitor or an accountant, or for a job in the disciplined services. However, employers may ask eligible candidates undertaking work relating to children or mentally incapacitated persons to voluntarily apply to the police for a sexual conviction record check.
Are there any formalities to obtain consent to process sensitive personal data?
No. Where consent of the data subject is required, prescribed consent of the data subject would suffice. While consent can be written or oral, it is advisable to obtain the written consent of the data subject for evidentiary reasons. Implied consent is likely to be insufficient.
When must a data protection officer be appointed?
There is no formal requirement to appoint a data protection officer.
However, DPP1 requires a data user to, on or before collection of personal data, explicitly inform a data subject of his/her rights to request access to, and correction of, his/her personal data and the name (or job title) and address of the person to whom such requests should be made.
What are the duties of a data protection officer?
For the purposes of complying with DPP1, different staff within the same organisation may be appointed to handle data access/correction requests in different contexts. In a large organisation where personal data may be collected for different business functions, a specific person is usually appointed to handle such requests for administrative convenience (even though it is not a legal requirement), along with a generic email address as a means of contacting the person to whom data access/correction requests should be made.
Is there a general accountability obligation?
There is no general accountability obligation under Hong Kong law. However, the Privacy Commissioner has been advocating organisational data users to adopt a privacy management programme in order to build a “robust privacy infrastructure” supported by an effective on-going review and monitoring process to facilitate compliance with the requirements of the PDPO. A best practice guide for a privacy management programme has been published by the Privacy Commissioner (which was most recently revised in March 2019 in light of the GDPR).
Are privacy impact assessments mandatory?
Privacy impact assessments are not mandatory, but the Privacy Commissioner has published an information leaflet setting out information on the process for privacy impact assessments and its general application to data users. The Privacy Commissioner is also increasingly focused on data ethics and data protection by design and has also published related guidance notes and/or information leaflets for small and medium enterprises and for information and communications technology systems.
Privacy notices
Where personal data is collected from the data subject, all practicable steps shall be taken to ensure that the data subject is informed of the purposes for which the data are to be used and the classes of persons to whom the data may be transferred. The data subject must also be informed of his/her rights to request access to and the correction of the data and the name or job title, and address, of the individual who is to handle any such request made to the data user.
Rights to access information
Under DPP6, data subjects are entitled to request access to personal data within 40 days for a fee which must not be excessive. The Privacy Commissioner has specified a prescribed form in which such a request has to be made.
Data subjects are also entitled to lodge a formal “data access request”: (i) to be informed by a data user whether the data user holds personal data of which the individual is the data subject; and (ii) to be supplied with a copy of any such data. Failure to comply with a data access request is an offence under the PDPO.
Rights to data portability
There is no express “right to data portability” under the PDPO. However, in compliance with a data access request lodged by data subjects, and subject to certain exceptions, the PDPO stipulates that the copies of personal data to be supplied in compliance with a data access request shall, as far as practicable, be: (i) intelligible; (ii) readily comprehensible; (iii) in an appropriate language and (iv) in a form specified in the request (or in such form as the data user thinks fit if not specified). This right might therefore be used to ask for data in a portable format.
Right to be forgotten
There is no express “right to be forgotten” under the PDPO. The PDPO only includes a general obligation on a data user to take all practicable steps to erase personal data held by it where the data is no longer required for the purpose for which the data was used (unless such erasure is prohibited under any law or it is in the public interest, including historical interest, for the data not to be erased). In the banking context, however: (i) the Privacy Commissioner has published a specific code of practice on consumer credit data recommending that a credit provider should inform data subjects that they have the right to instruct the credit provider to make a request to a credit reference agency to delete account data relating to a terminated account which is terminated by full repayment and (ii) the Code of Banking Practice published by the Hong Kong Association of Banks requires institution to have in place appropriate control and protection mechanism that acknowledge the rights of customers to obtain prompt correction and/or deletion of inaccurate, or unlawfully collected or processed data.
The Privacy Commissioner has the power, by way of issuing an enforcement notice, to request a data user to remove personal data if the use of the personal data contravenes the PDPO. This power has been exercised by the Privacy Commissioner in the past and was upheld on a legal challenge against the Privacy Commissioner’s decision.
Objection to direct marketing and profiling
Before a data user may use a data subject’s personal data for direct marketing, or provide it to others for this purpose, the data user must obtain the data subject’s consent or “no objection” to the intended use or provision. Accordingly, a data subject may object to any intended use or provision of his/her personal data for direct marketing.
Further, a data subject may later request that a data user ceases to use or provide his/her personal data for direct marketing to which he/she had previously consented. A data user must comply with such a request without charge.
Other rights
Under DPP6, data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. There is no particular form or mode in which a data correction request has to be made, except that it cannot be made verbally.
The Privacy Commissioner may, at his discretion and depending on the circumstances, grant assistance including arranging for legal representation of and advice to data subjects in respect of their legal proceedings against data users.
Security requirements in order to protect personal data
Under DPP4, all practicable steps must be taken to ensure that personal data held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use. The Privacy Commissioner has recommended the use of encryption in respect of electronic data.
Specific rules governing processing by third party agents (processors)
As mentioned above, there is no direct regulation of processors. Instead, a data user is liable for its agent’s or contractor’s breach of the requirements under the PDPO. Further, under DPP2 and DPP4, if a data user engages a processor (whether within or outside of Hong Kong), the data user must use contractual or other means to ensure that personal data is protected from unauthorised or accidental access, processing, erasure, loss or use, and is not retained for longer than necessary for the purpose of processing the data.
The Privacy Commissioner (in a non-binding information leaflet on Outsourcing the Processing of Personal Data to Data Processors issued in September 2012) has indicated that the types of contractual obligations that could be imposed on a processor include that: (i) the processor must not use or disclose personal data for any purpose other than for the purpose for which the personal data has been entrusted to it by the data user; (ii) the processor must take certain security measures to protect the personal data entrusted to it by the data user; (iii) the processor must comply with the DPPs; (iv) the processor must return or delete the personal data when it is no longer required for the purpose for which it is entrusted by the data user; (v) sub-contracting be prohibited or restricted; and (vi) audit and inspection rights be provided in favour of the data user. The Privacy Commissioner has also indicated that “other means” of ensuring compliance by a processor may include ensuring that reputable processors are selected by a data user and that sufficient due diligence is done by a data user on potential processors.
Additionally, a data user in the banking or insurance sector, in respect of any outsourcing of their business functions must, among other requirements: (i) ensure that anyone to whom it outsources any processing has appropriate controls in place to protect customer personal data; and (ii) notify its customers in general terms that their data will be transferred to an outsourcing partner.
Notice of breach laws
In recent years, the Privacy Commissioner has expressed increasing concern over adequate security measures and potential data breach incidents. In 2023, the Privacy Commissioner received 157 voluntary data breach notifications, which is a significant increase of nearly 50% when compared to 105 voluntary data breach notifications in 2022. The number of data breach incidents involving hacking more than doubled, rising from 29 cases in 2022 (representing 28% of data breach incidents in 2022) to 64 cases in 2023 (representing 41% of data breach incidents in 2023).
Although there is currently no legal requirement for the data users to inform the regulator of a breach of the requirements, the Privacy Commissioner issued a guidance note in June 2010 (and most recently revised in June 2023) encouraging data users to notify the following parties in response to a data breach as a matter of good industry practice: (i) the affected data subjects; (ii) the Privacy Commissioner; (iii) the relevant law enforcement agencies and regulators; and (iv) such other parties who may be able to take remedial actions to protect the personal data privacy and interests of the data subjects affected. It is advisable for the data user to take active remedial steps to lessen the damage that a data breach may cause to data subjects. The guidance note (which is non-binding) sets out some other general suggestions by the Privacy Commissioner of how a data breach could be handled.
Data users should note that although that though there are no mandatory or legal breach reporting regime, they may be liable under the PDPO for other offences such as failure to apply appropriate security measures to personal data (DPP 4).
Restrictions on transfers to third countries
None. There are restrictions on transfers to third countries in section 33 of the PDPO, but these have not come into effect (and there is currently no timetable set of when such restrictions under section 33 of the PDPO will come into legal effect). In December 2014, the Privacy Commissioner issued a non-binding Guidance Note on Personal Data Protection in Cross-border Data Transfer. This was supplemented by a Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data published in May 2022 which built upon and updated the December 2014 guidance including the appended recommended model clauses.
The Privacy Commissioner issued a non-binding Guidance Note in December 2023 on cross border transfers in the Greater Bay Area. This guidance encourages personal information processors and recipients in mainland cities within the Greater Bay Area (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) that make cross border transfers to Hong Kong (and vice versa) (excluding Macau Special Administrative Region) to adopt a specific Standard Contract (the “GBA Standard Contract”) on a voluntary basis. The GBA Standard Contract regime must be filed with the authorities in Hong Kong (i.e. the OGCIO) and Mainland China (Guangdong Cyberspace Administration of China).
However, data users are still required to comply with the general requirements of the PDPO, including DPP1 and DPP3 when transferring personal data overseas (i.e. notifying data subjects of the purposes of data transfers and the classes of data transferees, and ensuring that the transfer is for a purpose for which the data were to be used at the time of the collection of the data or a directly related purpose).
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no requirement to either notify or obtain the approval of the Privacy Commissioner.
Use of binding corporate rules
Not applicable.
Fines
Breaches of the PDPO may lead to a variety of civil and criminal sanctions including fines and imprisonment.
Breaching an enforcement notice issued by the Privacy Commissioner may result in a fine of up to HK$50,000 and imprisonment for up to two years with a daily penalty of HK$1,000 for a continued breach. Subsequent convictions can result in a maximum fine of HK$100,000 with a daily penalty of HK$2,000 if the offence continues after conviction.
The use of personal data in direct marketing without the data subject’s consent is a criminal offence punishable by a fine of HK$500,000 and imprisonment of up to three years. A data user that provides a third party with personal data: (i) for the purposes of direct marketing; (ii) in return for consideration; and (iii) without the data subject’s consent, will be liable to fines of up to HK$1,000,000 and imprisonment of up to five years (where the data provision is for gain).
Doxxing or disclosure of personal data without the data subject’s consent, with the intention to cause specified harm (including psychological harm) or being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or his or her family member, is a criminal offence punishable by a fine of HK$100,000 and imprisonment of up to two years. If the disclosure of personal data fulfils the said conditions and causes specified harm to the data subject or his or her family member, the offender is liable to fines of up to HK$1,000,000 and imprisonment of up to five years. A Hong Kong person or a non-Hong Kong service provider which fails to comply with a cessation notice issued by the Privacy Commissioner requiring it to remove the doxxing message from the electronic platform, discontinue hosting service for or cease or restrict access to the message is liable to a fine of up to HK$50,000 and to imprisonment of up to 2 years for a first conviction.
Criminal liability
Contravention of an enforcement notice issued by the Privacy Commissioner is a criminal offence (see fines above).
Additional offences relating to failure to comply with the requirements of the Privacy Commissioner, in the Privacy Commissioner’s exercise of its investigatory powers, hindering or obstructing the Privacy Commissioner in performing its functions or powers, making a false or misleading statement to the Privacy Commissioner incur a fine at HK$10,000 and imprisonment of up to six months.
Compensation
Section 66 of the PDPO provides that individuals who suffer loss as a result of a data user’s use of their personal data in contravention of the PDPO are entitled to civil compensation. A defence that reasonable care had been taken in all circumstances reasonably required is available for a data user in the event of any proceedings brought against a data user under this section.
Other powers
The Privacy Commissioner has powers under the PDPO to initiate an investigation when it receives a complaint or on its own initiative if there are reasonable grounds to believe that an act or practice has contravened the requirements under the PDPO. The Privacy Commissioner also has power to inspect a personal data system for the purposes of ascertaining information to assist the Privacy Commissioner in making recommendations for compliance with the PDPO. In carrying out an investigation or an inspection, the Privacy Commissioner may enter into premises with either a warrant or prior notice.
Apart from issuing an enforcement notice, the Privacy Commissioner may also publish reports in respect of its investigation or inspection.
Practice
Doxxing: In the years following the 2021 Amendments, the Privacy Commissioner’s focus has been on combatting doxxing acts. During the period from 8 October 2021 (when the 2021 Amendments came into effect) to 31 December 2023, the Privacy Commissioner commenced criminal investigations for 254 cases and has mounted a total of 42 arrest operations in the same period. On 13 December 2021, the Privacy Commissioner made the first arrest for a suspected doxxing offence that occurred in contravention of the new section 64(3A) of the PDPO relating to “disclosing personal data without consent.”
The first sentencing case of the new doxxing offence was in October 2022, where the defendant was sentenced to 8 months’ imprisonment for disclosing the personal data of the victim on social media platforms without the victim’s consent. The second sentencing case prosecuted by the Privacy Commissioner was in March 2023, where an online trader was sentenced to two months’ imprisonment, suspended for two years, for disclosing the personal data of the trader’s supplier and the supplier’s husband, which contained allegations about fraudulent behaviour, on social media platforms.
Based on the Privacy Commissioner’s 2022-2023 Annual Report, the Privacy Commissioner received 3,644 complaints in total, indicating an increase of approximately 8% from the previous recording period (3368 complaints in 2021-2022). Doxxing-relating complaints accounted for around 18% of the total number of complaints in 2022-2023.
Direct marketing practices: Investigation and prosecution relating to direct marketing practices continue to be one of the main focus areas for enforcement by the Privacy Commissioner. Although it is anticipated that there will be fewer enforcement cases due to increased awareness of data users in recent years. In September 2021, an estate agent was convicted for failing to comply with a data subject’s request to cease to use his personal data for direct marketing and was fined HK $15,000. In February 2023, a Chinese medicine practitioner was convicted of two charges including (i) failing to obtain the data subject’s consent before using her personal data in direct marketing and (ii) failing to inform the data subject, when using her personal data for the first time, of her right to request not to use her personal data in direct marketing without charge, and was fined HK$4,000 in total.
The Privacy Commissioner has been adopting conciliation as a means to resolve disputes between data subjects and the parties being complained against. If a complaint involves criminal elements, they are referred to the police.
Where complaints are unsuitable for conciliation or cannot be conciliated, the Privacy Commissioner will carry out investigations, following which it may issue warnings or enforcement notices against the parties being complained against if a contravention of the PDPO is found.
ePrivacy laws
There are no ePrivacy laws as such, but the PDPO does apply to personal data stored electrically, and it also contains provisions on direct marketing.
Conditions for use of cookies
There are no specific laws on cookies. However, if the cookies contain any personal data, the data user is required to take all practical steps to ensure that the data subject is explicitly informed on or before the collection of data of the purpose for which the data is to be used and the classes of person to whom the data may be transferred. This may be done either through an online notification that appears before the data collection begins or through the website's privacy statement.
Regulatory guidance on the use of cookies
The view of the Privacy Commissioner is that a cookie, in and of itself, does not ordinarily satisfy the definition of personal data under the PDPO. In order to determine whether cookies are personal data, it depends on whether the cookies contain any data that can identify an individual or whether they are held or used with other personal identifying information.
Conditions for direct marketing by e-mail to individual subscribers
Before a data user may use or provide a data subject’s personal data to others for use in direct marketing, the data user must: (i) inform the data subject of the intention to use or provide his/her personal data for direct marketing and that the data user may not use or provide the data for that purpose without the data subject’s consent; (ii) provide the data subject with specific information about the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used and, if the data is to be provided to others, the classes of person to which the data will be provided and whether the data will be provided for gain; and (iii) provide the data subject with a means (at no cost to the data subject) to communicate the data subject’s consent (which is revocable) or “no objection” to the intended use or provision. If a data subject has consented orally to a data user using his/her personal data for direct marketing, the data user must send a written confirmation to the data subject, within 14 days, confirming: (i) the date of receipt of consent; (ii) the permitted kind of personal data; and (iii) the permitted class of marketing subjects.
A data subject may request that a data user ceases to use his/her personal data for direct marketing without charge. A data user must comply with such a request. Further, the Privacy Commissioner has issued a guidance note on direct marketing. In general, the Privacy Commissioner is of the view that a data user may only use personal data for direct marketing of those products/services that are directly related to the original purpose of collection of the data (e.g. a bank may use personal data of its customers for marketing financial and insurance products).
Where an individual or organisation intends to mass market by e-mail in a way which does not constitute direct marketing (for example, sending broadcast messages to a list of subscribers), the Unsolicited Electronic Messages Ordinance (Cap 593) (“UEMO”) applies to the sending of commercial electronic messages. Commercial electronic messages include text messages sent via SMS, pre-recorded phone messages, faxes and emails.
Conditions for direct marketing by e-mail to corporate subscribers
In circumstances where it is clear that a data user directs a marketing message to a corporation’s personnel in their official capacities and the product or service is clearly meant for the exclusive use of the corporation, the Privacy Commissioner would generally take the view that it would not be appropriate to enforce the direct marketing provisions. However, the sending of commercial electronic messages under the UEMO applies to both recipients of commercial electronic messages who may be individuals or organisations.
Exemptions and other issues
There is transitional relief for personal data collected under the previous direct marketing regime (subject to certain conditions being met). There is also an exception to the direct marketing rules where the data user has obtained the personal data from a third party and the third party has confirmed that relevant notifications have been made to, and consents obtained from, the data subjects.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The conditions under the PDPO are the same as for direct marketing by email.
Unsolicited pre-recorded telephone messages which do not mention the name of the recipients or involve the recipients’ personal data will not fall under the remit of the PDPO. However, under the requirements of the UEMO, a person should not send a commercial electronic message (including voice messages) if it is listed on a Do Not Call Register administered by the Office of the Communications Authority in Hong Kong unless the relevant recipient has given clear and unambiguous consent to the sender. Currently, person-to-person interactive telephone calls are not regulated under the UEMO.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
As noted, in circumstances where it is clear that a data user directs a marketing message to a corporation’s personnel in their official capacities and the product or service is clearly meant for the exclusive use of the corporation, the Privacy Commissioner would generally take the view that it would not be appropriate to enforce the direct marketing provisions. However the UEMO applies to both recipients of commercial electronic messages who may be individuals and organisations.
Exemptions and other issues
The exemptions under the PDPO are the same as for direct marketing by email.
There are exemptions that apply under schedule 1 and 2 of the UEMO relating to interactive person-to-person communications, and service-related commercial electronic messages (for example, reminder to a recipient of an upcoming subscribed event).
Contents