Data Protected - Hong Kong

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Personal Data (Privacy) Ordinance (the “PDPO”) which contains the Data Protection Principles (the “DPP”).

Entry into force

The majority of the provisions of the PDPO came into force on 20 December 1996. The PDPO was significantly amended by the Personal Data (Privacy) (Amendment) Ordinance 2012. The majority of the amendments came into force on 1 October 2012 but the provisions that established a new direct marketing regime only came into force on 1 April 2013.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Office of the Privacy Commissioner for Personal Data (the “Privacy Commissioner”)

12/F, Sunlight Tower, 248 Queen's Road East
Wanchai
Hong Kong

www.pcpd.org.hk

Notification or registration scheme and timing

There is no legal requirement to notify the Privacy Commissioner in respect of any collection or use of personal data.

There is a Data User Return Scheme under the PDPO. This requires specified organisations to notify the Privacy Commissioner of "prescribed information" including the kinds of personal data they control and the purposes for which the personal data are collected, held, processed or used. However, the Privacy Commissioner has put the Data User Return Scheme on hold until after the reform of the European Union’s data protection system, on which the Hong Kong system is modelled, has been finalised.  There have not been any updates as of November 2017.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The PDPO applies where the data user in question controls the processing of data in or from Hong Kong even if the data processing cycle occurs outside Hong Kong. The PDPO does not contain any express provisions conferring extra-territorial application.

Is there a concept of a controller and a processor?

The PDPO requires all “data users” to comply with the DPPs.

However, a person who merely holds, processes or uses personal data solely on behalf of another person but not for his/her own purposes is not considered to be a data user in respect of such personal data (e.g. an internet service provider who merely provides internet connection services to data users).

Are both manual and electronic records subject to data protection legislation?

The PDPO applies to both manual and electronic records as long as they contain personal data.

Are there any national derogations?

The PDPO contains: (i) general exemptions from the DPPs for personal data held for domestic or recreational purposes; (ii) exemptions from access requirements (i.e. DPP6) for certain employment-related personal data and relevant processes or where the access to personal data will derogate legal professional privilege or the right against self-incrimination; and (iii) exemptions from use limitations and access requirements (i.e. DPP3 and DPP6) in a wide range of situations.

A non-exhaustive list of the more common exemptions from use limitations and access requirements includes: (i) for the purpose of safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection; (ii) assessment or collection of any tax or duty; (iii) prevention of unlawful or seriously improper conduct, news activities; (iv) legal proceedings; (v) due diligence exercises; and (vi) life-threatening emergency situations.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The PDPO defines personal data to mean any data relating directly or indirectly to a living individual from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.

Is information about legal entities personal data?

No. However, information about sole proprietors and partnerships may be treated as personal data if such information satisfies the definition of personal data.

What are the rules for processing personal data?

Data users are required to comply with the six data protection principles.

DPP1 provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that data subject.

DPP2 provides that personal data should be accurate, up-to-date and kept no longer than necessary.

DPP3 provides that personal data should only be used for the purposes for which they were collected or a directly related purpose. A data user is required to obtain the “prescribed consent” of the data subject if the data user intends to use the personal data for purposes other than those for which the data were originally collected or for a directly related purpose.

DPP4 requires appropriate security measures to be applied to personal data.

DPP5 requires that data users provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.

DPP6 provides for data subjects to have rights of access to and correction of their personal data.

Are there any formalities to obtain consent to process personal data?

Prescribed consent is defined in the PDPO to mean the express consent of the data subject which has been given voluntarily and not withdrawn in writing.

Prescribed consent is required pursuant to DPP3 if a data user intends to use the personal data for purposes other than those for which the data were originally collected or for a directly-related purpose.

Are there any special rules when processing personal data about children?

If the data subject is a minor (i.e. under the age of 18) and prescribed consent is required from the minor in accordance with DPP3, then in appropriate circumstances, a person with parental responsibility for the minor may give the prescribed consent on behalf of the minor.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

There is no concept of “sensitive” personal data under the PDPO.

However, the Privacy Commissioner has issued Codes of Practice setting out specific requirements in respect of certain types of personal data such as identity card numbers, personal identifiers and consumer credit data. The Privacy Commissioner has also indicated that biometric data should only be collected where it is necessary and with the consent of the data subject.

Are there additional rules for processing sensitive personal data?

In addition to complying with the DPPs, the Codes of Practice set out additional requirements in respect of the collection, use, retention and deletion of specific types of personal data. Breaching a Code of Practice does not, of itself, render a data user liable to any proceedings but evidence of such a breach is admissible in proceedings under the PDPO.

Are there additional rules for processing information about criminal offences?

 

In terms of general privacy obligations, the rules are the same as for personal data generally.  However, note that the Rehabilitation of Offenders Ordinance prohibits disclosure of spent convictions contained in any records kept by a public officer and contravention may result in a criminal fine of up to HK$25,000.


Are there any formalities to obtain consent to process sensitive personal data?

No. Where consent of the data subject is required, prescribed consent of the data subject would suffice. While consent can be written or oral, it is advisable to obtain the written consent of the data subject. Implied consent is likely to be insufficient.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

DPP1 requires a data user to, on or before collection of personal data, explicitly inform a data subject of his/her rights to request access to, and correction of, his/her personal data and the name (or job title) and address of the person to whom such requests should be made. There is no formal requirement to appoint a data protection officer.

What are the duties of a data protection officer?

For the purposes of complying with DPP1, different staff within the same organisation may be appointed to handle data access/correction requests in different contexts.  In a large organisation where personal data may be collected for different business functions, a specific person is usually appointed to handle such requests for administrative convenience (even though it is not a legal requirement), along with a generic email address as a means of contacting the person to whom data access/correction requests should be made.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation under Hong Kong law.  However, the Privacy Commissioner has been advocating organisational data users to adopt a privacy management programme in order to build a “robust privacy infrastructure” supported by an effective on-going review and monitoring process to facilitate compliance with the requirements of the PDPO.  A best practice guide for a privacy management programme has been published by the Privacy Commissioner.

Are privacy impact assessments mandatory?

Privacy impact assessments are not mandatory, but the Privacy Commissioner has published an information leaflet setting out information on the process for privacy impact assessments and its general application to data users.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Where personal data is collected from the data subject, all practicable steps shall be taken to ensure that the data subject is informed of the purpose for which the data are to be used and the classes of persons to whom the data may be transferred. The data subject must also be informed of his/her rights to request access to and the correction of the data and the name or job title, and address, of the individual who is to handle any such request made to the data user.

Rights to access information

Under DPP6, data subjects are entitled to request access to personal data within 40 days for a fee which must not be excessive. The Privacy Commissioner has specified a prescribed form in which such a request has to be made.

Data subjects are also entitled to lodge a formal “data access request”: (i) to be informed by a data user whether the data user holds personal data of which the individual is the data subject; and (ii) to be supplied with a copy of any such data. Failure to comply with a data access request is an offence under the PDPO.

Rights to data portability

In compliance with a data access request lodged by data subjects, and subject to certain exceptions, the PDPO stipulates that the copies of personal data to be supplied in compliance with a data access request shall, as far as practicable, be: (i) intelligible; (ii) readily comprehensible; (iii) in an appropriate language and (iv) in a form specified in the request (or in such form as the data user thinks fit if not specified). This right might therefore be used to ask for data in a portable format.

Right to be forgotten

There is no express “right to be forgotten” under the PDPO.  The PDPO only includes a general obligation on a data user to take all practicable steps to erase personal data held by it where the data is no longer required for the purpose for which the data was used (unless such erasure is prohibited under any law or it is in the public interest, including historical interest, for the data not to be erased). 

The Privacy Commissioner has the power, by way of issuing an enforcement notice, to request a data user to remove personal data if the use of the personal data contravenes the PDPO.  This power has been exercised by the Privacy Commissioner in the past and was upheld on a legal challenge against the Privacy Commissioner’s decision.

Objection to direct marketing and profiling

Before a data user may use a data subject’s personal data for direct marketing, or provide it to others for this purpose, the data user must obtain the data subject’s consent or “no objection” to the intended use or provision. Accordingly, a data subject may object to any intended use of his/her personal data for direct marketing.

Further, a data subject may later request that a data user ceases to use his/her personal data for direct marketing to which he/she had previously consented. A data user must comply with such a request without charge.

Other rights

Under DPP6, data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. There is no particular form or mode in which a data correction request has to be made, except that it cannot be made verbally.

The Privacy Commissioner may, at his discretion and depending on the circumstances, grant assistance including arranging for legal representation of and advice to data subjects in respect of their legal proceedings against data users.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Under DPP4, all practicable steps must be taken to ensure that personal data held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use. The Privacy Commissioner has recommended the use of encryption in respect of electronic data.

Specific rules governing processing by third party agents (processors)

There is no direct regulation of processors. Instead, a data user is liable for its agent’s or contractor’s breach of the requirements under the PDPO. Further, under DPP2 and DPP4, if a data user engages a processor (whether within or outside of Hong Kong), the data user must use contractual or other means to ensure that personal data is protected from unauthorised or accidental access, processing, erasure, loss or use, and is not retained for longer than necessary for the purpose of processing the data.

The Privacy Commissioner (in a non-binding information leaflet on Outsourcing the Processing of Personal Data to Data Processors issued in September 2012) has indicated that the types of contractual obligations that could be imposed on a processor include that: (i) the processor must not use or disclose personal data for any purpose other than for the purpose for which the personal data has been entrusted to it by the data user; (ii) the processor must take certain security measures to protect the personal data entrusted to it by the data user; (iii) the processor must comply with the DPPs; (iv) the processor must return or delete the personal data when it is no longer required for the purpose for which it is entrusted by the data user; (v) sub-contracting be prohibited or restricted; and (vi) audit and inspection rights be provided in favour of the data user. The Privacy Commissioner has also indicated that “other means” of ensuring compliance by a processor may include ensuring that reputable processors are selected by a data user and that sufficient due diligence is done by a data user on potential processors.

Additionally, a data user in the banking or insurance sector, in respect of any outsourcing of their business functions must, among other requirements: (i) ensure that anyone to whom it outsources any processing has appropriate controls in place to protect customer personal data; and (ii) notify its customers in general terms that their data will be transferred to an outsourcing partner.

Notice of breach laws

Although there is no legal requirement for the data users to inform the regulator of a breach of the requirements, the Privacy Commissioner issued a guidance note in June 2010 encouraging data users to notify the following parties in response to a data breach: (i) the affected data subjects; (ii) the Privacy Commissioner; (iii) the relevant law enforcement agencies and regulators; and (iv) such other parties who may be able to take remedial actions to protect the personal data privacy and interests of the data subjects affected. It is advisable for the data user to take active remedial steps to lessen the damage that a data breach may cause to data subjects. The guidance note (which is non-binding) sets out some other general suggestions by the Privacy Commissioner of how a data breach could be handled.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

None. There are restrictions in section 33 of the PDPO, but these have not come into effect. In December 2014, the Privacy Commissioner issued a non-binding Guidance Note on Personal Data Protection in Cross-border Data Transfer. However, data users are still required to comply with the general requirements of the PDPO, including DPP3 when transferring personal data overseas (i.e. the transfer must be for a purpose for which the data were to be used at the time of the collection of the data or a directly related purpose). Based on public statements made by the Privacy Commissioner during 2016, it is expected that section 33 of the PDPO will undergo significant redrafting before coming into force.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no requirement to either notify or obtain the approval of the Privacy Commissioner.

Use of binding corporate rules

Not applicable.

_____________________________________________________________________ Top

Enforcement

Fines

Breaches of the PDPO may lead to a variety of civil and criminal sanctions including fines and imprisonment.

If a data user breaches an enforcement notice issued by the Privacy Commissioner, it will be liable to a fine of HK$50,000 (on first conviction) or HK$100,000 (on a subsequent conviction) and imprisonment.

The use of personal data in direct marketing without the data subject’s consent is a criminal offence punishable by a fine of HK$500,000 and imprisonment. A data user that provides a third party with personal data: (i) for the purposes of direct marketing; (ii) in return for consideration; and (iii) without the data subject’s consent, will be liable to fines of up to HK$1,000,000 and imprisonment.

Criminal liability

If a data user breaches an enforcement notice issued by the Privacy Commissioner, it will be liable to a fine and imprisonment for two years.

The use of personal data in direct marketing without the data subject’s consent is a criminal offence punishable by a fine and imprisonment for up to three years. A data user that provides a third party with personal data: (i) for the purposes of direct marketing; (ii) in return for consideration; and (iii) without the data subject’s consent, will be liable to fines and imprisonment for up to five years

Compensation

Data subjects have a right to bring proceedings in court to seek compensation for damage, including damages for injury to feelings.

Other powers

The Privacy Commissioner has powers under the PDPO to initiate an investigation when it receives a complaint or on its own initiative if there are reasonable grounds to believe that an act or practice has contravened the requirements under the PDPO.  The Privacy Commissioner also has power to inspect a personal data system for the purposes of ascertaining information to assist the Privacy Commissioner in making recommendations for compliance with the PDPO.  In carrying out an investigation or an inspection, the Privacy Commissioner may enter into premises with either a warrant or prior notice.

Apart from issuing an enforcement notice, the Privacy Commissioner may also publish reports in respect of its investigation or inspection.

Practice

Based on the latest statistics issued by the Privacy Commissioner, it received 16,180 enquiries and 1,838 complaints in 2016.  73% of the complaints were made against the private sector and the nature of the complaints mainly related to: (i) the use of personal data without the consent of data subject; (ii) the purpose and manner of data collection; (iii) data security; and (iv) data access/correction requests.

An investigation initiated by the Privacy Commissioner and continued by the police has led to the first imposition of a prison sentence for a breach of the PDPO. In December 2014, a former insurance agent was sentenced to four weeks of imprisonment for offences including two counts of making a false statement to the Privacy Commissioner. It should however be noted that the insurance agent also simultaneously pleaded guilty to other fraud offences and that his sentence for breaching the PDPO arose from his conduct during the Privacy Commissioner’s investigation as opposed to for breaching the data protection principles under the PDPO.

Investigation and prosecution relating to direct marketing practices has always been the focus of enforcement actions by the Privacy Commissioner.  For example, in April 2016, a Community Service Order of 80 hours was imposed on an insurance agent for the offences of (i) using the personal data of a data subject in direct marketing without taking specified actions/obtaining consent; and (ii) failing to inform the data subject, when using his personal data in direct marketing for the first time, of his right to request (without charge) that his personal data not be used in direct marketing. In May 2016, a marketing company was fined HK$16,000 for the offences of (i) using the personal data of a data subject in direct marketing without taking specified actions/obtaining consent and (ii) failing to comply with the data subject’s request to cease using his personal data in direct marketing.

In June 2017, the sole director of an employment agency was convicted of the offence of failing to comply with a lawful requirement of the Privacy Commissioner and he was fined HK$3,000.  This is the first conviction for this offence since the PDPO came into force.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

There are no ePrivacy laws as such, but the PDPO does apply to personal data stored electrically, and it also contains provisions on direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific laws on cookies. However, if the cookies contain any personal data, the data user is required to take all practical steps to ensure that the data subject is explicitly informed on or before the collection of data of the purpose for which the data is to be used and the classes of person to whom the data may be transferred. This may be done either through an online notification that appears before the data collection begins or through the website's privacy statement.

Regulatory guidance on the use of cookies

The view of the Privacy Commissioner is that a cookie, in and of itself, does not ordinarily satisfy the definition of personal data under the PDPO. In order to determine whether cookies are personal data, it depends on whether the cookies contain any data that can identify an individual or whether they are held or used with other personal identifying information.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

Before a data user may use or provide a data subject’s personal data to others for use in direct marketing, the data user must: (i) inform the data subject of the intention to use or provide his/her personal data for direct marketing and that the data user may not use or provide the data for that purpose without the data subject’s consent; (ii) provide the data subject with specific information about the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used and, if the data is to be provided to others, the classes of person to which the data will be provided and whether the data will be provided for gain; and (iii) provide the data subject with a means (at no cost to the data subject) to communicate the data subject’s consent (which is revocable) or “no objection” to the intended use or provision. If a data subject has consented orally to a data user using his/her personal data for direct marketing, the data user must send a written confirmation to the data subject, within 14 days, confirming: (i) the date of receipt of consent; (ii) the permitted kind of personal data; and (iii) the permitted class of marketing subjects.

A data subject may request that a data user ceases to use his/her personal data for direct marketing without charge. A data user must comply with such a request. Further, the Privacy Commissioner has issued a guidance note on direct marketing. In general, the Privacy Commissioner is of the view that a data user may only use personal data for direct marketing of those products/services that are directly related to the original purpose of collection of the data (e.g. a bank may use personal data of its customers for marketing financial and insurance products).

Conditions for direct marketing by e-mail to corporate subscribers

The PDPO does not apply to corporate subscribers.

Exemptions and other issues

There is transitional relief for personal data collected under the previous regime (subject to certain conditions being met). There is also an exception to the direct marketing rules where the data user has obtained the personal data from a third party and the third party has confirmed that relevant notifications have been made to, and consents obtained from, the data subjects.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The conditions are the same as for marketing by email.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The PDPO does not apply to corporate subscribers.

Exemptions and other issues

The exemptions are the same as for marketing by email.

_____________________________________________________________________ Top