A Q&A guide to data protection in Hong Kong.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The Personal Data (Privacy) Ordinance, Cap 486 (Ordinance), which came into force on 20 Dec 1996, protects the privacy of individuals in relation to personal data and related matters. The Ordinance did not implement the Data Protection Directive but its provisions clearly reflect those of the Data Protection Directive. There are current proposals to reform the Ordinance. The public consultation for reform was completed at the end of 2010, and it is unlikely that reform will be implemented earlier than 2012.
The Ordinance is enforced by the Privacy Commissioner for Personal Data of Hong Kong (Commissioner) (see box, The regulatory authority).
The Ordinance applies to any person (data user), in both the public and private sectors, that controls the collection, holding, processing or use of personal data (see Question 3). That person can be natural or legal (for example, an individual, company, or public entity).
The Ordinance covers any data (personal data) relating directly or indirectly to a living individual (data subject), which is:
Capable of identifying the data subject.
In a form that can be practicably accessed or processed.
The following acts are regulated in relation to personal data:
The Ordinance applies within the territory of Hong Kong.
It is uncertain whether the Ordinance currently has extra-territorial scope. Section 33 of the Ordinance prohibits transfer of personal data outside Hong Kong, except in specified circumstances. However, the government has not yet brought section 33 into force and it is unknown when or whether it will (see Question 19). The Commissioner (see box, The regulatory authority) ruled in a specific case that the Ordinance did not have extra-territorial effect, and could not apply to any act committed by a foreign party on foreign soil. On an appeal against the Commissioner's decision, the Administrative Appeal Board (AAB) apparently indicated that it disagreed with this view (Shi Tao v Privacy Commissioner for Personal Data  1 HKC 287). However, this statement was obiter dicta and the case was decided on a different basis.
The Ordinance provides specific exemptions from the requirements of the Ordinance, including:
A broad exemption for personal data held for domestic or recreational purposes.
Exemptions from requirements that the data subject has access, and the limitations of use to which the personal data can be put, where the application of these requirements is likely to prejudice certain competing public or social interests, such as:
the prevention or detection of crime;
the remedying of unlawful conduct. Case law provides that this includes civil wrongs, for example:
the tort of negligence (Tse Lai Yin Lily & ors v Incorp Owners of Albert House & ors  1 HKC 386); and
copyright infringement (Cinepoly Records Co Ltd & ors v Hong Kong Broadbrand Network Lrd & ors  HKLRD 255).
the assessment or collection of any tax or duty;
news activities; and
health (that is, the prevention of serious harm to an individual's physical or mental health).
Exemptions from the limitations of use requirements if the personal data is used for research or the preparation of statistics where the results that are made available do not identify any of the individuals concerned.
Exemptions from the requirements that the data subject has access for certain employment-related personal data in staff planning or a personal reference context.
For more information on the access and limitations of use requirements, see Question 8.
Schedule 1 to the Ordinance sets out six data protection principles (DPPs) (see Question 8). Sub-paragraph 3 of the first data protection principle (DDP1) provides that:
When personal data is collected directly from the data subject, the data user must notify the data subject:
whether it is obligatory or voluntary for the data subject to supply the data and, if it is obligatory, the consequences of not supplying the data;
of the purpose for which the data is to be used;
of the classes of persons to whom the data may be transferred.
Before the first use of the data for the purpose for which collection was made, the data user must inform the data subject of the:
data subject's right to request access and correction of the data; and
contact details of the person to whom the subject can make this request.
In practice, these notifications are often incorporated in one written statement (a personal information collection statement (PICS)).
There are no other obligations to inform before processing, except under section 33, which is not yet in force (this section provides circumstances in which personal data can be transferred outside Hong Kong where the data subject's consent is obtained) (see Question 5). The data subject has generally no right to object to direct marketing before it occurs, although it must be given the right to opt out when the subject's data is used for the first time in direct marketing (section 34, Ordinance).
Any act or practice that breaches one of the six DPPs is prohibited, unless this act or practice is required or permitted under the Ordinance (section 4, Ordinance). The six DPPs are:
DPP1: purpose and manner of collection. This requires that the collection of personal data be lawful and fair and sets out the information a data user must give to a data subject when collecting personal data from that subject. It provides that:
the data must be collected for a lawful purpose that is directly related to a function or activity of the data user and the collection must be necessary, adequate and not excessive (sub-paragraph (1));
the means of collection must be lawful and fair (sub-paragraph (2)); and
certain matters must be notified to the data subject prior to the collection or the first use of the data collected (sub-paragraph (3)) (see Question 7).
DPP2: accuracy and duration of retention. Personal data should be accurate, up-to-date and kept no longer than necessary.
DPP3: use of personal data. Personal data can only be used for:
the purpose for which collection was made;
a directly related purpose;
a purpose for which the data subject has given consent as long as this consent has not been withdrawn.
DPP4: security of personal data. Appropriate security measures must be applied to personal data to protect against unauthorised or accidental access, processing, erasure, or other use. The data user bears this security obligation even where the data is kept in a form in which access to or processing of the data is not practicable.
DPP5: information to be generally available. Data users must be open about the kinds of personal data they hold and the main purposes for which personal data is used.
DPP6: access to personal data. Data subjects must have rights to access and correct their personal data.
What rules are there concerning the form and content of consent? Does online consent suffice?
Are there any special rules concerning consent by minors?
The consent of the data subject must be obtained for the use of personal data outside the purpose for which collection is made or a directly related purpose under DPP3 (see Question 8). This is known as the prescribed consent (section 2(3), Ordinance).
The Ordinance does not provide rules concerning the form and content of consent. However, the PICS is relevant to the form and content of prescribed content, as in the case of a dispute it will determine whether the:
Purpose of the data collection has been notified and the nature of then notified purpose.
Consent of the data subject has been obtained and the nature of that consent.
The form and content of the PICS has been the subject of debate:
In August 2010 the AAB ruled that a Hong Kong bank was in breach of the requirements of DPP3. One of its main criticisms was that the fine print of the PICS discouraged people from reading it and therefore did not bind a customer that was a consumer (Wing Lung Bank Ltd v PCPD  6 HKC 266).
In October 2010 the Commissioner released an investigation report which recommended, among other things, guidelines to ensure a PICS is effectively communicated to data subjects. The report concerned the sale of the personal data of over two million individuals by the company Octopus to other entities for direct marketing purposes. This sale was revealed by an ex-employee of one of the purchasers and immediately resulted in widespread public objections (The Collection and Use of Personal Data of Members under the Octopus Rewards Programme run by Octopus Rewards Limited, Report Number: R10-9866, 18 October 2010).
The Commissioner released a guidance note on Guidance on the Collection and Use of Personal Data in Direct Marketing (Guidance) in October 2010, which contains guidelines for the content of the PICS, including:
The layout of the PICS (including the font size, spacing, underlining, use of appropriate highlights, key words and contrasts) should be designed so that the PICS is easily readable to customers with normal eyesight.
The PICS should be presented in a conspicuous manner (for example, the PICS should be a stand-alone section and its contents should not be buried among the terms and conditions for the provision of the data user's services).
The language of the PICS should be reader friendly (for example, the use of simple rather than difficult words and the avoidance of use of legal terms or convoluted phrases).
Further assistance from the data user, such as a help desk or enquiry service, should be given to enable the data subject to understand the contents of the PICS.
Prescribed consent can be obtained, for example, by inviting the subject to tick a box or give a separate signature specifying whether he agrees to the prescribed use of the personal data.
The purpose of use and class of people or entities to whom the data will be transferred should not be defined in such wide and vague terms (for example, "other related purposes") that it would not be practicable for data subjects to ascertain with a reasonable degree of certainty how their data could be used and who would have the use of the data. For example, the class of data transferees should be defined by a distinctive description such as financial services companies, telecommunication service providers, and so on.
The guidance makes no specific distinction between consent obtained online or via other circumstances, so an online consent obtained in compliance with the Commissioner's guidelines should be sufficient.
No special rules are provided concerning consent by minors. The Commissioner has expressed the view that in cases involving minors and persons under a disability, consideration should be given as to whether the person has a sufficient understanding and intelligence to enable him or her to fully understand what is proposed. This effectively follows the UK position (Gillick v West Norfolk and Wisbech Area Health Authority and Another  AC 112).
Processing can be used for certain purposes (such as the prevention of serious harm to an individual's physical or mental health) without the data subject's consent (see Question 6).
The Ordinance does not provide special rules for certain types of personal data or a definition of sensitive data. The Commissioner is arguing for reform of the Ordinance to classify biometric data as sensitive data and to limit the collection of sensitive data (see Question 1).
When personal data is collected directly from the data subject, he must be given certain information (such as whether it is obligatory or voluntary to supply the data, the purpose for which the data is to be used, and the classes of persons to whom the data may be transferred) (see Question 7).
Data subjects have the right:
To access and request correction of their data (DPP6) (see Question 8). Data users must respond to requests within 40 days (sections 19 and 23, Ordinance). Failure to comply is an offence punishable by a fine of up to HK$50,000 (section 64(10), Ordinance). (As at 1 March 2011, US$1 was about HK$7.8.)
Of compensation for damage, including injury to feelings, arising from a breach of the Ordinance (section 66, Ordinance). However, there are no known cases of a successful private claim. This is probably because the:
data user has the defence that it showed reasonable care and relied on inaccurate data received from third party (section 66(3), Ordinance);
claimant has the burden of proof;
costs of litigation discourage claimants from bringing a claim.
Appropriate security measures must be applied to personal data held by a data user to protect against unauthorised or accidental access, processing, erasure or other use, with particular regard to (section 4 and DPP4, Ordinance):
The kind of data and the harm that could result if any of those things should occur.
The physical location where the data is stored.
Any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored.
Any measures taken for ensuring the integrity, prudence and competence of persons having access to the data.
Any measures taken for ensuring the secure transmission of the data.
Hong Kong has no requirement to notify personal data security breaches to data subjects or the Commissioner. In Hong Kong, a number of data security breaches have occurred when public or statutory body staff lost universal serial bus (USB) storage of individuals' personal data, and in practice, the public or statutory bodies usually notified the individuals concerned and the Commissioner. The Commissioner is arguing that the Ordinance should be amended to make notification mandatory (see Question 1).
The Ordinance contains no additional requirements where a third party processes the data on behalf of the data user. A third party processor who holds, processes or uses the personal data solely on the data user's behalf and not for any of the third party processor's own purposes is not a data user and is not bound by the Ordinance or the DPPs (section 2(12), Ordinance). A data user who appoints a third party processor is liable for the acts or conduct of that processor, which follows the usual rule that principals are liable for the acts of their agents (section 65(2), Ordinance).
The Ordinance does not provide any conditions before cookies or equivalent devices can be stored. The Commissioner recommends that a web site that sends out cookies should inform via the web site's PPS that cookies are used (see Question 13). The PPS should also indicate whether use of the web site is permitted if cookies are not accepted, and if so what (if any) loss of functionality non-acceptance of the cookies will involve.
The Unsolicited Electronic Messages Ordinance (UEMO) Cap 593 regulates the sending of spam. It prohibits:
The use of unscrupulous techniques (for example, address harvesting software, dictionary or brute force attack) to send spam.
Fraud or other illicit activities (for example, the use of hacked or zombie computers, or sending with falsified header information) related to the sending of multiple spam (that is, more than 100 messages in 24 hours or more than 1,000 in 30 days).
Direct marketing businesses and e-marketing businesses must comply with the following requirements in relation to sending unsolicited electronic commercial communications:
The sender's information must be provided in the communications and contact facilities must be valid for a minimum of 30 days.
The recipient must be offered an opportunity to opt-out from receiving these communications.
Opt-out selections made by recipients must be honoured within ten working days.
Commercial electronic messages cannot be sent to entries in the do-not-call registers (for phone, fax and mobile numbers) set up by the Office of the Telecommunications Authority (OFTA).
Unless and until section 33 comes into force, there are no regulations prohibiting the transfer of data outside Hong Kong (see Question 5). Acts done by any overseas transferee are regarded as the acts of the Hong Kong data transferor who is liable for any acts that breach the DPPs (section 65(2), Ordinance).
If section 33 comes into force, a data user can only transfer personal data outside Hong Kong if one or more of the following apply:
The overseas place has been specified (that is, white-listed) by the Commissioner.
The overseas place has in force a law which is substantially similar to or serves the same purposes as the Ordinance.
The data user has obtained the written consent of the data subject to the transfer.
The data user has taken reasonable precautions and exercised due diligence to ensure that, in the overseas place, the data will be afforded comparable protection as that provided in Hong Kong. This rule would permit the use of contractual arrangements to achieve a comparable level of protection for the personal data to be transferred (data transfer agreements).
Data transfer agreements are contemplated, although section 33 is not yet in force (see Question 19). The Commissioner has prepared a model contract which is publicly available at the Commissioner's website (www.pcpd.org.hk).
If and when section 33 comes into force, a data transfer agreement, if properly drafted and enforced, will be sufficient to legitimise transfer (see Question 19). Obtaining written consent from the data subject to the overseas transfer would be another way to legitimise the transfer.
There is no requirement for the Commissioner to approve the data transfer agreement, although the Commissioner has prepared a model contract (see Question 20).
The Commissioner has enforcement powers to (Ordinance):
Investigate complaints, either on receiving a complaint or on its own initiative (section 38). The Commissioner's investigation powers include:
entering into premises (section 42(1));
requiring information and production of documents (section 44).
Issue an enforcement notice directing a data user to take remedial steps if after investigation it considers the data user may have breached the Ordinance and there is a likelihood of the breach's continuation or repetition (section 50).
Publish an investigation report, at its discretion, if for example the Commissioner considers that the public interest requires publication (section 48).
It is not an offence to breach the DPP. However, a breach of any of the sections of the Ordinance or a breach of an enforcement notice is an offence and can be punished by fines or imprisonment (section 64, Ordinance). For example, it is a criminal offence, punishable by a fine of up to HK$10,000 and/or up to six months' imprisonment, to:
Provide false or misleading information to answer a data access request or data correction request.
Obstruct, hinder, or resist the Commissioner's investigation.
A breach of an enforcement notice is also a criminal offence and attracts a fine of up to HK$50,000 plus a daily fine of up to HK$1,000 for a continuing breach and up to two years' imprisonment.
Since the Ordinance came into force in 1996, the Commissioner has received a number of complaints, started a number of investigations, and some of the Commissioner's decisions have been appealed to the AAB. However, there are only a few cases in which enforcement notices have been issued and no criminal sanctions are known to have been imposed.
Main areas of responsibility. The Commissioner has a number of responsibilities, including to:
Formulate operational policies and procedures to implement the provisions of the Ordinance.
Monitor and supervise compliance with the provisions of the Ordinance.
Carry out inspections of personal data systems, including those of government departments and statutory corporations.
Investigate, on receipt of complaints from data subjects or on its own initiative, suspected breaches of requirements of the Ordinance.
Undertake research into, and monitor developments in, the processing of data and computer technology that may have adverse effects on the privacy of individuals in relation to personal data.
Liaise and co-operate with persons performing similar data protection functions in any place outside Hong Kong in respect of matters of mutual interest concerning the privacy of individuals in relation to personal data.
Qualified. Hong Kong, 1990
Areas of practice. Intellectual property and information technology (IP & IT); data protection; product liability.