Data Protected - Hong Kong SAR
Last updated July 2022
General | Data Protection Laws
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
The Personal Data (Privacy) Ordinance (the “PDPO”) which contains the Data Protection Principles (the “DPP”).
Entry into force
The majority of the provisions of the PDPO came into force on 20 December 1996. The PDPO was significantly amended by the Personal Data (Privacy) (Amendment) Ordinance 2012 (“2012 Amendments”) and the Personal Data (Privacy) (Amendment) Ordinance 2021 (“2021 Amendments”). Notably, the 2012 Amendments which came into effect on 1 April 2013 established a direct marketing regime, and the 2021 Amendments (which came into effect on 9 October 2021) made substantial additions to criminalise doxxing acts and empower the Privacy Commissioner with related enforcement powers.
National Supervisory Authority
Details of the competent national supervisory authority
Office of the Privacy Commissioner for Personal Data (the “Privacy Commissioner”)
Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East
Wanchai, Hong Kong.
Telephone: +852 2827 2827
Notification or registration scheme and timing
There is no legal requirement to notify the Privacy Commissioner in respect of any collection or use of personal data.
There is a Data User Return Scheme under the PDPO. This requires specified organisations to notify the Privacy Commissioner of "prescribed information" including the kinds of personal data they control and the purposes for which the personal data are collected, held, processed or used. However, the Privacy Commissioner put the Data User Return Scheme on hold during the reform of the European Union’s data protection system, on which the Hong Kong system is modelled. As the GDPR removed registration requirements and the focus of the Privacy Commissioner is now on the implementation of accountability principles and privacy management programmes, it is unclear whether the Privacy Commissioner will continue to implement the Data User Return Scheme.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
The PDPO applies where the data user in question controls the processing of data in or from Hong Kong even if the data processing cycle occurs outside Hong Kong. The PDPO does not contain any express provisions conferring extra-territorial application.
Is there a concept of a controller and a processor?
Yes, but the terminology is different. Data processors (being a person who processes personal data on behalf of another person instead of for his/her own purpose(s)) are not directly regulated under the PDPO. Instead, data users (which are akin to data controllers under GDPR are required to, by contractual or other means, ensure that their data processors meet the applicable requirements of the PDPO. Data users are liable for the acts and omissions of their data processors.
Are both manual and electronic records subject to data protection legislation?
The PDPO applies to both manual and electronic records as long as they contain personal data.
Are there any national derogations?
The PDPO contains: (i) general exemptions from the DPPs for personal data held for domestic or recreational purposes; (ii) exemptions from access requirements (i.e. DPP6) for certain employment-related personal data and relevant processes or where the access to personal data will derogate legal professional privilege or the right against self-incrimination; and (iii) exemptions from use limitations and access requirements (i.e. DPP3 and DPP6) in a wide range of situations.
A non-exhaustive list of the more common exemptions from use limitations and access requirements includes: (i) for the purpose of safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection; (ii) assessment or collection of any tax or duty; (iii) prevention of unlawful or seriously improper conduct, news activities; (iv) legal proceedings; (v) due diligence exercises; and (vi) life-threatening emergency situations.
What is personal data?
The PDPO defines personal data to mean any data relating directly or indirectly to a living individual from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.
Is information about legal entities personal data?
No. However, information about sole proprietors and partnerships may be treated as personal data if such information satisfies the definition of personal data.
What are the rules for processing personal data?
Data users are required to comply with the six data protection principles.
DPP1 provides for the lawful and fair collection of personal data and sets out the information a data user must give to a data subject when collecting personal data from that data subject.
DPP2 provides that personal data should be accurate, up-to-date and kept no longer than necessary.
DPP3 provides that personal data should only be used for the purposes for which they were collected or a directly related purpose. A data user is required to obtain the “prescribed consent” of the data subject if the data user intends to use the personal data for purposes other than those for which the data were originally collected or for a directly related purpose.
DPP4 requires appropriate security measures to be applied to personal data.
DPP5 requires that data users provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.
DPP6 provides for data subjects to have rights of access to and correction of their personal data.
Are there any formalities to obtain consent to process personal data?
Prescribed consent is defined in the PDPO to mean the express consent of the data subject which has been given voluntarily and not withdrawn in writing.
Prescribed consent is required pursuant to DPP3 if a data user intends to use the personal data for purposes other than those for which the data were originally collected or for a directly-related purpose.
Are there any special rules when processing personal data about children?
If the data subject is a minor (i.e. under the age of 18) and prescribed consent is required from the minor in accordance with DPP3, then in appropriate circumstances, a person with parental responsibility for the minor may give the prescribed consent on behalf of the minor.
Are there any special rules when processing personal data about employees?
The data protection principles generally apply equally in an employment context and the Privacy Commissioner has published specific codes of practice and/or guidelines in relation to human resource management and monitoring and personal data privacy at work. However, the PDPO contains exemptions from access requirements (i.e. DPP6) for certain employment-related personal data and relevant processes. These exemptions allow employers to refuse access by employees to their personal data relevant to staff planning proposals or employment-related evaluative processes (against which the relevant employee has a right to appeal and for as long as the relevant process is on-going and a determination is yet to be made). Examples of such evaluative processes include disciplinary proceedings, promotion exercises or evaluative processes concerning the employee’s continuing employment. However, the appeal period is not considered as part of the relevant process. Therefore, an employer who receives a data access request by an employee after the determination of the relevant process (but before any appeal) should still comply with a data access request.
Sensitive Personal Data
What is sensitive personal data?
There is no concept of “sensitive” personal data under the PDPO.
However, the Privacy Commissioner has issued Codes of Practice setting out specific requirements in respect of certain types of personal data such as identity card numbers, personal identifiers and consumer credit data. The Privacy Commissioner has also indicated that biometric data should only be collected where it is necessary and with the consent of the data subject.
Are there additional rules for processing sensitive personal data?
In addition to complying with the DPPs, the Codes of Practice set out additional requirements in respect of the collection, use, retention and deletion of specific types of personal data. Breaching a Code of Practice does not, of itself, render a data user liable to any proceedings but evidence of such a breach is admissible in proceedings under the PDPO.
Are there additional rules for processing information about criminal offences?
In terms of general privacy obligations, the rules are the same as for personal data generally. However, note that the Rehabilitation of Offenders Ordinance prohibits disclosure of spent convictions contained in any records kept by a public officer and contravention may result in a criminal fine of up to HK$25,000.
Are there any formalities to obtain consent to process sensitive personal data?
No. Where consent of the data subject is required, prescribed consent of the data subject would suffice. While consent can be written or oral, it is advisable to obtain the written consent of the data subjectfor evidentiary reasons. Implied consent is likely to be insufficient.
Data Protection Officers
When must a data protection officer be appointed?
DPP1 requires a data user to, on or before collection of personal data, explicitly inform a data subject of his/her rights to request access to, and correction of, his/her personal data and the name (or job title) and address of the person to whom such requests should be made. There is no formal requirement to appoint a data protection officer.
What are the duties of a data protection officer?
For the purposes of complying with DPP1, different staff within the same organisation may be appointed to handle data access/correction requests in different contexts. In a large organisation where personal data may be collected for different business functions, a specific person is usually appointed to handle such requests for administrative convenience (even though it is not a legal requirement), along with a generic email address as a means of contacting the person to whom data access/correction requests should be made.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no general accountability obligation under Hong Kong law. However, the Privacy Commissioner has been advocating organisational data users to adopt a privacy management programme in order to build a “robust privacy infrastructure” supported by an effective on-going review and monitoring process to facilitate compliance with the requirements of the PDPO. A best practice guide for a privacy management programme has been published by the Privacy Commissioner (which was most recently revised in March 2019 in light of the GDPR).
Are privacy impact assessments mandatory?
Privacy impact assessments are not mandatory, but the Privacy Commissioner has published an information leaflet setting out information on the process for privacy impact assessments and its general application to data users. The Privacy Commissioner is also increasingly focused on data ethics and data protection by design and has also recently published related guidance notes and/or information leaflets for small and medium enterprises and for information and communications technology systems.
Rights of Data Subjects
Where personal data is collected from the data subject, all practicable steps shall be taken to ensure that the data subject is informed of the purposes for which the data are to be used and the classes of persons to whom the data may be transferred. The data subject must also be informed of his/her rights to request access to and the correction of the data and the name or job title, and address, of the individual who is to handle any such request made to the data user.
Rights to access information
Under DPP6, data subjects are entitled to request access to personal data within 40 days for a fee which must not be excessive. The Privacy Commissioner has specified a prescribed form in which such a request has to be made.
Data subjects are also entitled to lodge a formal “data access request”: (i) to be informed by a data user whether the data user holds personal data of which the individual is the data subject; and (ii) to be supplied with a copy of any such data. Failure to comply with a data access request is an offence under the PDPO.
Rights to data portability
In compliance with a data access request lodged by data subjects, and subject to certain exceptions, the PDPO stipulates that the copies of personal data to be supplied in compliance with a data access request shall, as far as practicable, be: (i) intelligible; (ii) readily comprehensible; (iii) in an appropriate language and (iv) in a form specified in the request (or in such form as the data user thinks fit if not specified). This right might therefore be used to ask for data in a portable format.
Right to be forgotten
There is no express “right to be forgotten” under the PDPO. The PDPO only includes a general obligation on a data user to take all practicable steps to erase personal data held by it where the data is no longer required for the purpose for which the data was used (unless such erasure is prohibited under any law or it is in the public interest, including historical interest, for the data not to be erased). In the banking context, however: (i) the Privacy Commissioner has published a specific code of practice on consumer credit data such that a credit provider must inform data subjects that they have the right to instruct the credit provider to make a request to a credit reference agency to delete account data relating to a terminated account and (ii) the Code of Banking Practice published by the Hong Kong Association of Banks requires institution to have in place appropriate control and protection mechanism that acknowledge the rights of customers to obtain prompt correction and/or deletion of inaccurate, or unlawfully collected or processed data.
The Privacy Commissioner has the power, by way of issuing an enforcement notice, to request a data user to remove personal data if the use of the personal data contravenes the PDPO. This power has been exercised by the Privacy Commissioner in the past and was upheld on a legal challenge against the Privacy Commissioner’s decision.
Objection to direct marketing and profiling
Before a data user may use a data subject’s personal data for direct marketing, or provide it to others for this purpose, the data user must obtain the data subject’s consent or “no objection” to the intended use or provision. Accordingly, a data subject may object to any intended use of his/her personal data for direct marketing.
Further, a data subject may later request that a data user ceases to use his/her personal data for direct marketing to which he/she had previously consented. A data user must comply with such a request without charge.
Under DPP6, data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. There is no particular form or mode in which a data correction request has to be made, except that it cannot be made verbally.
The Privacy Commissioner may, at his discretion and depending on the circumstances, grant assistance including arranging for legal representation of and advice to data subjects in respect of their legal proceedings against data users.
Security requirements in order to protect personal data
Under DPP4, all practicable steps must be taken to ensure that personal data held by a data user are protected against unauthorised or accidental access, processing, erasure, loss or use. The Privacy Commissioner has recommended the use of encryption in respect of electronic data.
Specific rules governing processing by third party agents (processors)
As mentioned above, there is no direct regulation of processors. Instead, a data user is liable for its agent’s or contractor’s breach of the requirements under the PDPO. Further, under DPP2 and DPP4, if a data user engages a processor (whether within or outside of Hong Kong), the data user must use contractual or other means to ensure that personal data is protected from unauthorised or accidental access, processing, erasure, loss or use, and is not retained for longer than necessary for the purpose of processing the data.
The Privacy Commissioner (in a non-binding information leaflet on Outsourcing the Processing of Personal Data to Data Processors issued in September 2012) has indicated that the types of contractual obligations that could be imposed on a processor include that: (i) the processor must not use or disclose personal data for any purpose other than for the purpose for which the personal data has been entrusted to it by the data user; (ii) the processor must take certain security measures to protect the personal data entrusted to it by the data user; (iii) the processor must comply with the DPPs; (iv) the processor must return or delete the personal data when it is no longer required for the purpose for which it is entrusted by the data user; (v) sub-contracting be prohibited or restricted; and (vi) audit and inspection rights be provided in favour of the data user. The Privacy Commissioner has also indicated that “other means” of ensuring compliance by a processor may include ensuring that reputable processors are selected by a data user and that sufficient due diligence is done by a data user on potential processors.
Additionally, a data user in the banking or insurance sector, in respect of any outsourcing of their business functions must, among other requirements: (i) ensure that anyone to whom it outsources any processing has appropriate controls in place to protect customer personal data; and (ii) notify its customers in general terms that their data will be transferred to an outsourcing partner.
Notice of breach laws
In recent years, the Privacy Commissioner has expressed increasing concern over adequate security measures and potential data breach incidents. In 2021, the Privacy Commissioner initiated 377 compliance checks and conducted six compliance investigations, which respectively represented an increase of 10% and 500% when compared to 344 compliance checks and one compliance investigation conducted in 2020.
Although there is currently no legal requirement for the data users to inform the regulator of a breach of the requirements, the Privacy Commissioner issued a guidance note in June 2010 (and most recently revised in January 2019) encouraging data users to notify the following parties in response to a data breach: (i) the affected data subjects; (ii) the Privacy Commissioner; (iii) the relevant law enforcement agencies and regulators; and (iv) such other parties who may be able to take remedial actions to protect the personal data privacy and interests of the data subjects affected. It is advisable for the data user to take active remedial steps to lessen the damage that a data breach may cause to data subjects. The guidance note (which is non-binding) sets out some other general suggestions by the Privacy Commissioner of how a data breach could be handled.
Data users should note that although that though there are no mandatory or legal breach reporting regime, they may be liable under the PDPO for other offences such as failure to apply appropriate security measures to personal data (DPP 4).
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
None. There are restrictions in section 33 of the PDPO, but these have not come into effect. In December 2014, the Privacy Commissioner issued a non-binding Guidance Note on Personal Data Protection in Cross-border Data Transfer. This was supplemented by a Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data published in May 2022 which built upon and updated the December 2014 guidance including the appended recommended model clauses. However, data users are still required to comply with the general requirements of the PDPO, including DPP3 when transferring personal data overseas (i.e. the transfer must be for a purpose for which the data were to be used at the time of the collection of the data or a directly related purpose).
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no requirement to either notify or obtain the approval of the Privacy Commissioner.
Use of binding corporate rules
Breaches of the PDPO may lead to a variety of civil and criminal sanctions including fines and imprisonment.
Breaching an enforcement notice issued by the Privacy Commissioner may result in a fine of up to HK$50,000 and imprisonment for up to two years with a daily penalty of HK$1,000 for a continued breach. Subsequent convictions can result in a maximum fine of HK$100,000 with a daily penalty of HK$2,000 if the offence continues after conviction.
The use of personal data in direct marketing without the data subject’s consent is a criminal offence punishable by a fine of HK$500,000 and imprisonment of up to five years. A data user that provides a third party with personal data: (i) for the purposes of direct marketing; (ii) in return for consideration; and (iii) without the data subject’s consent, will be liable to fines of up to HK$1,000,000 and imprisonment of up to five years.
Contravention of an enforcement notice issued by the Privacy Commissioner is a criminal offence (see fines above).
Additional offences relating to failure to comply with the requirements of the Privacy Commissioner, including hindering or obstructing the Privacy Commissioner in performing its functions or powers, failing to comply with the requirements of the Privacy Commissioner, making a false, reckless or misleading statement to the Privacy Commissioner incur a fine at HK$10,000 and imprisonment of up to six months.
Section 66 of the PDPO provides that individuals who suffer loss as a result of a data user’s use of their personal data in contravention of the PDPO are entitled to civil compensation. A defence that reasonable care had been taken in all circumstances reasonably required is available for a data user in the event of any proceedings brought against a data user under this section.
The Privacy Commissioner has powers under the PDPO to initiate an investigation when it receives a complaint or on its own initiative if there are reasonable grounds to believe that an act or practice has contravened the requirements under the PDPO. The Privacy Commissioner also has power to inspect a personal data system for the purposes of ascertaining information to assist the Privacy Commissioner in making recommendations for compliance with the PDPO. In carrying out an investigation or an inspection, the Privacy Commissioner may enter into premises with either a warrant or prior notice.
Apart from issuing an enforcement notice, the Privacy Commissioner may also publish reports in respect of its investigation or inspection.
Criminal prosecutions: The first imposition of a prison sentence for a breach of the PDPO was in December 2014. In this case, a former insurance agent was sentenced to four weeks of imprisonment for offences including two counts of making a false statement to the Privacy Commissioner. It should however be noted that the insurance agent also simultaneously pleaded guilty to other fraud offences. His sentence for breaching the PDPO arose from his conduct during the Privacy Commissioner’s investigation, rather than penalising his breach of data protection principles under the PDPO.
Doxxing: In the years preceding the 2021 Amendments, the Privacy Commissioner’s focus has been on combatting doxxing acts. During the period from 8 October 2021 (when the 2021 Amendments came into effect) to 31 December 2021, the Privacy Commissioner commenced criminal investigations for 25 cases. On 13 December 2021, the Privacy Commissioner made the first arrest for a suspected doxxing offence that occurred in contravention of the new section 64(3A) of the PDPO relating to “disclosing personal data without consent.”
Based on the Privacy Commissioner’s 2020-2021 Annual Report, the Privacy Commissioner received 3,157 complaints in total, a reduction of 71% from the previous recording period. Notwithstanding a significant reduction of doxxing-related complaints from the year before, doxxing-relating complaints still accounted for around 30% of the total number of complaints.
Direct marketing practices: Investigation and prosecution relating to direct marketing practices continue to be one of the primary focus areas for enforcement by the Privacy Commissioner. Most significantly, in September 2019, a telecommunications company was fined HK$84,000 after pleading guilty to 14 charges which related to the offence of failing to comply with the data subject’s request to cease using her personal data in direct marketing. Another telecommunications company was fined HK$12,000 in May 2020 for contravention of similar direct marketing provisions under the PDPO. Notwithstanding other areas of focus by the Privacy Commissioner, we expect direct marketing to continue to be an active area of enforcement given the prevalence of non-compliance.
In recent years, the Privacy Commissioner has adopted conciliation as a means to resolve disputes between data subjects and the parties being complained against. If a complaint involves criminal elements, they are referred to the police.
Where complaints are unsuitable for conciliation or cannot be conciliated, the Privacy Commissioner will carry out investigations, following which it may issue warnings or enforcement notices against the parties being complained against if a contravention of the PDPO is found.
ePrivacy | Marketing and cookies
There are no ePrivacy laws as such, but the PDPO does apply to personal data stored electrically, and it also contains provisions on direct marketing.
There are no specific laws on cookies. However, if the cookies contain any personal data, the data user is required to take all practical steps to ensure that the data subject is explicitly informed on or before the collection of data of the purpose for which the data is to be used and the classes of person to whom the data may be transferred. This may be done either through an online notification that appears before the data collection begins or through the website's privacy statement.
The view of the Privacy Commissioner is that a cookie, in and of itself, does not ordinarily satisfy the definition of personal data under the PDPO. In order to determine whether cookies are personal data, it depends on whether the cookies contain any data that can identify an individual or whether they are held or used with other personal identifying information.
Conditions for direct marketing by e-mail to individual subscribers
Before a data user may use or provide a data subject’s personal data to others for use in direct marketing, the data user must: (i) inform the data subject of the intention to use or provide his/her personal data for direct marketing and that the data user may not use or provide the data for that purpose without the data subject’s consent; (ii) provide the data subject with specific information about the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used and, if the data is to be provided to others, the classes of person to which the data will be provided and whether the data will be provided for gain; and (iii) provide the data subject with a means (at no cost to the data subject) to communicate the data subject’s consent (which is revocable) or “no objection” to the intended use or provision. If a data subject has consented orally to a data user using his/her personal data for direct marketing, the data user must send a written confirmation to the data subject, within 14 days, confirming: (i) the date of receipt of consent; (ii) the permitted kind of personal data; and (iii) the permitted class of marketing subjects.
A data subject may request that a data user ceases to use his/her personal data for direct marketing without charge. A data user must comply with such a request. Further, the Privacy Commissioner has issued a guidance note on direct marketing. In general, the Privacy Commissioner is of the view that a data user may only use personal data for direct marketing of those products/services that are directly related to the original purpose of collection of the data (e.g. a bank may use personal data of its customers for marketing financial and insurance products).
Where an individual or organisation intends to mass market by e-mail in a way which does not constitute direct marketing (for example, sending broadcast messages to a list of subscribers), the Unsolicited Electronic Messages Ordinance (Cap 593) (“UEMO”) applies to the sending of commercial electronic messages. Commercial electronic messages include text messages sent via SMS, pre-recorded phone messages, faxes and emails.
Conditions for direct marketing by e-mail to corporate subscribers
The PDPO does not apply to corporate subscribers, however the sending of commercial electronic messages under the UEMO applies to both recipients of commercial electronic messages who may be individuals or organisations.
Exemptions and other issues
There is transitional relief for personal data collected under the previous regime (subject to certain conditions being met). There is also an exception to the direct marketing rules where the data user has obtained the personal data from a third party and the third party has confirmed that relevant notifications have been made to, and consents obtained from, the data subjects.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The conditions under the PDPO are the same as for direct marketing by email.
Unsolicited pre-recorded telephone messages which do not mention the name of the recipients or involve the recipients’ personal data will not fall under the remit of the PDPO. However, under the requirements of the UEMO, a person should not send a commercial electronic message (including voice messages) if it is listed on a Do Not Call Register administered by the Communications Authority in Hong Kong unless the relevant recipient has given clear and unambiguous consent to the sender. Currently, person-to-person interactive telephone calls are not regulated under the UEMO.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The PDPO does not apply to corporate subscribers, however the UEMO applies to both recipients of commercial electronic messages who may be individuals and organisations.
Exemptions and other issues
The exemptions under the PDPO are the same as for direct marketing by email.
There are exemptions that apply under schedule 1 and 2 of the UEMO relating to interactive person-to-person communications, and service-related commercial electronic messages (for example, reminder to a recipient of an upcoming subscribed event).