Hong Kong: Data Protection & Cyber Security

Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO)

The key personal data protection framework in Hong Kong is in the PDPO. The PDPO focusses on six Data Protection Principles (the DPPs), restricts direct marketing without consent, and establishes the Office of the Privacy Commissioner for Personal Data (the PCPD) as the national supervisory authority.

All “data users” are required to comply with the six DPPs, summarised as follows:

1. DPP1 – Purpose and manner of collection: personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user, should be necessary and adequate but not excessive for that purpose, the method of collection should be lawful and fair, and certain information must be provided to data subjects about the collection.
2. DPP2 – Accuracy and retention: data users must take all practicable steps to ensure personal data should be accurate, up-to-date and kept no longer than necessary, and data users must require data processors to comply with the retention requirement.
3. DPP3 – Use of data: personal data should only be used for the purposes for which they were collected or a directly related purpose, unless the data subject’s informed consent has been obtained. A data subject can withdraw his/her prior consent by written notice to the data user.
4. DPP4 – Data security: data users must take “all practicable steps” to ensure that personal data held by data users are protected against unauthorised or accidental access, processing, erasure, loss or use, having regard to the nature of the data and potential harm to the data subject, and data users must require data processors to comply with the data security requirement.
5. DPP5 – Openness and transparency: data users must take all practicable steps to ensure openness of their personal data policies and practices, including providing general information about the kinds of personal data they hold and the main purposes for which personal data are used.
6. DPP6 – Access and correction: data subjects have rights of access to and correction of their personal data (supplemented by Part 5 of the PDPO, covering data access requests and data correction requests).

Contravention of any of the DPPs is not a direct offence of itself, although the PCPD can investigate and issue a public enforcement notice, breach of which is an offence. Contravention of certain specific provisions of the PDPO is also an offence, including not erasing personal data that is no longer required for the purpose for which it is used, and disclosure of personal data obtained from a data user without the data user’s consent.

The maximum penalty for an offence under the PDPO is a fine of HK$1 million and imprisonment for 5 years (depending on the provision breached).

The PCPD is the designated personal data privacy regulator and an individual can complain to the PCPD if they suspect a data user has possibly breached the PDPO. In addition to the general personal data protection framework under the PDPO, there are sector-specific personal data protection requirements imposed by some industry regulators (see question 28 below).

Personal Data (Privacy) (Amendment) Ordinance 2021 (the Amendment Ordinance)

On 8 October 2021, the Hong Kong SAR Government implemented the Amendment Ordinance, which amends the PDPO to include new ‘doxxing’ offences. Doxxing is the act of publishing private or identifying information about an individual on the internet, typically for malicious purposes. The amendments fall into three categories:

• the criminalisation of doxxing offences;
• the PCPD’s criminal investigation and prosecution powers in relation to such offences; and
• the PCPD’s power to direct the removal of doxxing content and issue cessation notices with extra-territorial effect.

The Amendment Ordinance provides new two-tier doxxing offences as follows:

1. disclosing personal data of a data subject without their consent, with an intent to cause specified harm to the data subject or any of their family members, or being reckless as to whether any specified harm would be or likely be caused – punishable on conviction by up to a HK$100,000 fine and 2 years’ imprisonment; and
2. where, in addition to the above, a specified harm is actually caused to the data subject or their family members – punishable on conviction by up to a HK$1,000,000 fine and 5 years’ imprisonment.

Future amendments

Other proposed amendments to the PDPO were not included in the final Amendment Ordinance.

The PCPD is currently reviewing the PDPO with the HKSAR Government with a view to formulating further amendment proposals. The areas of review include mandatory data breach notifications, specified data retention periods, regulating data processors, and giving the PCPD power to impose direct administrative fines.

It is currently unknown which (if any) of these proposals would be included in further amendment legislation and when any such changes would come into effect. Anyone considering their rights and obligations under Hong Kong law should check the status of any proposed amendments.

No. There are currently no mandatory registration or licensing requirements for data users, data processors, or other person covered by the PDPO.

The PDPO adopts the key definitions “personal data“, “data subject“, “data user” (not ‘data controller’), and “data processor“:

Personal data means information which:

• relates directly or indirectly to a living individual;
• from which it is practicable to identify that individual directly or indirectly (including using other data held by the same data user); and
• is in a form in which access to or processing of the data is practicable.

There is no concept of sensitive personal data under the PDPO and there are no additional restrictions specifically imposed with respect to sensitive personal data. However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data – see further question 7 below).

The type and sensitivity of personal data is also relevant in considering whether to give a voluntary data breach notification – the PCPD’s non-binding Guidance on Data Breach Handling and the Giving of Breach Notifications suggests giving a data breach notification to data subjects where there is a reasonably foreseeable real risk of harm arising from the data breach.

Data Subject means a (living) individual who is the subject of personal data.

Data User means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. A data user is a person who makes a substantive decision as to how to use an item of personal data. There can therefore be more than one Data User in respect of any item of personal data (for example if different group entities use personal data for different reasons). The PDPO does not use the definition “data controller”.

Data Processor means a person who processes personal data on behalf of another person (a data user), instead of for his/her own purpose(s). A data processor can make technical decisions on how to implement a data user’s instructions regarding personal data, but cannot make any substantive decision without becoming a data user. Data processors are not directly regulated under the PDPO. Instead data users are required, by contractual or other means, to ensure that their data processors meet the applicable requirements of the PDPO.

The Amendment Ordinance amends the PDPO to include the following definition (used in particular for the doxxing offences):

Specified harm means harassment, molestation, pestering, threat or intimidation to the person which may take the form of: psychological pressure; bodily or psychological harm to the person; harm causing the person reasonably to be concerned for or worried about the person’s safety or well-being; or damage to the property of the person.

Data breaches: There is currently no definition of “personal data breach” in the PDPO, although the PDPO is considering the inclusion of such a definition as part of its review of the PDPO.

The key principles under the PDPO for processing personal data are contained in the six DPPs (outlined at question 1 above). A main objective of the DPPs is to ensure that collection of personal data is minimal and conducted on a fully-informed basis and in a fair manner. Personal data should be processed securely, only kept for as long as necessary and use of the data should be limited to or related to the original collection purpose. The DPPs also outline data subjects’ rights to access and make corrections to their personal data.

DPP1(1)(a) provides that personal data must not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data, while DPP1(3) requires that the data subject be notified explicitly of certain information related to the collection of data before the first collection (save for limited circumstances). The PDPO therefore adopts an initial ‘implied consent’ approach.

DPP3 prohibits the use of personal data for any new purpose which is not the original purpose when collecting the data (or a related purpose), except where the data subject’s express and voluntary consent has been obtained.

DPP1 and DPP3 combined mean that it is not possible to obtain a blanket consent (in a notice or agreement between the data user and data subject) that purports to give the data user the right to use personal data for any purpose whatsoever.

Other than as set out below, there are no requirements for the form in which consent is obtained or handled.

Despite the ability to rely on implied consent for primary data use, it is advisable to obtain written consent (which may be indicated by a signature or a tick box).

Use outside original purpose

As noted in question 5 above, DPP3 requires a data user to obtain express and voluntary consent to use personal data for new purposes beyond the initial purpose of collection.

Direct marketing

Part 6A of the PDPO requires that data users must obtain explicit informed consent of a data subject before using the data subject’s personal data for direct marketing or transferring the data to a third party for direct marketing. Silence cannot constitute consent. For further information on direct marketing see question 23 below.

Biometric data

Any consent obtained from a data subject for the collection of biometric data must be voluntary. Compulsory collection of biometric data without any legal basis or reasonable grounds might not be regarded as fair.

There is no definition of “sensitive personal data” under the PDPO, although the PCPD uses the term in its guidance.

DPP4(1)(a) provides that a data user must take all practicable steps to protect personal data by reference to the kind of data and the harm that could result from unauthorised collection.

The PCPD has issued Codes of Practice (the Codes) covering certain types of sensitive personal data, relating to:

1. Identity Card Numbers and Other Personal Identifiers;
2. Human Resource Management; and
3. Consumer Credit Data.

The Codes are not legally binding, but a breach of a Code by a data user can give rise to a presumption against the data user in any legal proceedings under the PDPO.

The PCPD has also issued guidance on personal data collection and use in certain scenarios, including by employers, schools, in certain industries (such as mobile service operators, property management, banking and insurance), and for certain types of personal data (such as biometric data).

The PCPD has indicated across several of these guidance notes that “sensitive personal data” should be encrypted when transmitted, processed or stored.

Electronic Health data

In addition to the general requirements of the PDPO, the Electronic Health Record Sharing System Ordinance (Cap. 625) regulates the collection, sharing, use and safe-keeping of patients’ health data under the Electronic Health Record Sharing System. This relates to healthcare providers only. Further information on health data is set out at question 28 below.

The PDPO does not contain specific provisions relating to children’s personal data, although the PDPO and the DPPs apply equally to such data.

If the data subject is a child and their consent is required for the collection of personal data, a parent or guardian may give the prescribed consent. The PCPD has issued Guidance on the Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children, which specifically relates to the collection of children’s data, as well as a series of publications and activities to promote children’s personal data privacy (including a Children Privacy ‘thematic website’).

Personal Data (Privacy) Ordinance (Cap. 486)

Part 8 of the PDPO exempts certain specified DPPs and provisions of the PDPO from applying to personal data held in specified circumstances, including (but not limited to):

• Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions;
• Personal data relating to staff planning and personal references;
• Personal data held for the purposes of prevention or detection of crime, the apprehension, prosecution or detention of offenders and other similar provisions;
• Where personal data is disclosed to a data user involved in news activity and the disclosing person has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting is in the public interest; and
• Personal data covered by legal professional privilege.

These exemptions operate as a defence for data users that fail to comply with the exempted requirements under the PDPO. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions.

Personal Data (Privacy) (Amendment) Ordinance 2021

The Amendment Ordinance provides for four statutory defences for the two-tier doxxing offences (see question 1 above) including:

• where there was a reasonable belief that the disclosure was necessary for preventing or detecting crime;
• where there was a reasonable belief that the data subject gave their consent to the disclosure;
• where there was a reasonable belief that disclosure was in the public interest and was made for news activity purposes; and
• where the disclosure was required or authorised by law or a court order.

The PDPO does not impose ‘data protection by design’ or ‘data protection by default’ as requirements.

The PCPD encourages business to adopt data protection by design and has developed (jointly with the Singapore Personal Data Protection Commission) a Guide to Data Protection By Design for ICT systems.

There is no mandatory obligation in the PDPO for data users and data processors to keep records of their processing activities. However, the PCPD’s Guidance on Outsourcing the Processing of Personal Data to Data Processors recommends keeping records of all personal data transferred to a third party for processing.

Under the DPPs, data users engaging a data processor (within or outside Hong Kong) must adopt contractual or other means to:

• prevent any personal data transferred from being kept longer than is necessary for processing (DPP2(3)); and
• prevent unauthorised or accidental access, processing, erasure, loss or use (DPP4(2)).

The PCPD recommends incorporating additional contractual clauses in service contracts or entering into separate contracts with data processors, that could impose obligations such as keeping records and immediate reporting of any sign of abnormalities or security breaches.

The PDPO also includes provisions prohibiting the transfer of personal data outside Hong Kong (and the transfer between two jurisdictions outside Hong Kong where the data user is in Hong Kong) unless certain conditions are met. However, these provisions have never been brought into effect.

In addition to these provisions, it is recommended for data users and data processors to keep records of data processing activities in order to be able to respond promptly and comprehensively to any enquiry or investigation by the PCPD into compliance with the DPPs, or to any complaint by a data subject.

As noted in question 1 above, the PCPD is considering specific legal obligations for data processors, but these are not yet known.

Under the PDPO there is currently no specified data retention period nor any statutory obligation to maintain a data retention policy.

Under DPP2, data users must take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If a data user engages a data processor for handling personal data of other persons, the data user should adopt contractual or other means to ensure that the data processor complies with the same retention requirement.

In accordance with section 26 of the PDPO, data users must take all practicable steps to erase personal data held when the data is no longer required for the purpose which it was used, unless any such erasure is prohibited under law or it is in the public interest not to have the data erased.

As noted in question 1 above, the PCPD is currently considering a prescribed data retention period, and requirement for data users to have a data retention policy (likely to be supplemented by templates and guidelines published by the PCPD).

There is currently no obligation to consult with the PCPD, or to issue data breach notifications to the PCPD.

The PCPD has recommended in its Guidance on Data Breach Handling and the Giving of Breach Notifications that data users should notify the PCPD about data breaches as part of “recommended practice for proper [data breach] handling”. Such notifications are currently voluntary, although the PCPD can take into account whether data breach notifications were given in considering whether a data user has complied with the DPPs (in particular DPP4 – data security).

The PCPD’s review of the PDPO includes the potential introduction of mandatory data breach notifications to both the PCPD and data subjects within a specified timeframe (still to be set).

Although not mandatory, the PCPD recommends that organisations implement a Privacy Management Programme, which should include periodic risk assessments and privacy impact assessments (see the PCPD’s Privacy Management Programme: A Best Practice Guide).

The PCPD recommends that organisations conduct yearly risk assessments to ensure their privacy policies comply with the PDPO and privacy impact assessments before launching any new projects, products or services to determine potential privacy risks at an early stage (and make any necessary changes and improvements).

No. The PDPO does not require organisations to appoint a data protection officer or other similar officer, although the PCPD recommends that organisations implement a Privacy Management Programme including the appointment of a responsible person to oversee compliance with the PDPO.

Organisations may need to appoint a DPO or representative under any other laws to which their activities may be subject (such as PRC law).

There is no legal requirement for employers to provide or for employees to undertake training.

Several non-binding guidance notes from the PCPD recommend employee training, including the recommended Privacy Management Programme. Whether training has been provided / undertaken may be a factor the PCPD considers in assessing whether there has been a breach of a DPP.

Under DPP1(3) PDPO, on or before the collection of personal data from a data subject, the data user must take all practicable steps to inform the data subject various information about the processing of the data, including:

• the purposes for which the personal data will be used;
• whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information;
• the classes of persons to whom personal data may be transferred or disclosed;
• if applicable, information about the use and/or provision of personal data for direct marketing; and
• data subjects’ rights of access to and correction of their personal data, and the contact details for the person responsible for handling those requests.

Exemptions to this rule exist, including where the personal data was not collected directly from the data subject or if the data could not be used to re-identify the data subject.

In practice, data users provide a Personal Information Collection Statement (PICS) or privacy notice. Where direct communication with a data subject is not possible, the data user should consider other practical alternatives to bring the notice to the attention of the data subject such as including a PICS or privacy notice on the relevant website. In AAB No. 25/1999, a hospital was found to have breached DPP1(3) by failing to take all reasonably practicable steps to bring the PICS to the attention of its private patients (finding that a notice displayed in the waiting room was not prominent enough).

Yes, the PDPO draws a distinction between data users and data processors (see question 3 above).

Data processors (in that capacity) are subject to obligations by way of flow-down contractual or other means which a data user must adopt, e.g. to prevent any personal data being kept longer than is necessary for processing (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or use of the data (DPP4(2)).

A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data user’s instructions will be carried out).

While data processors are not subject to the PDPO, data users that use data processors to process personal data on their behalf (or for their purposes) are liable for any violations of the PDPO by the data processor as if they were processing the personal data themselves.

The PCPD has issued non-mandatory Guidelines on Outsourcing the Processing of Personal Data to Data Processors.

There are no minimum contract terms, or standard contractual clauses, required for processors of personal data. Data users are free to consider what obligations best fit the circumstances (such as the amount and sensitivity of personal data involved, the nature of the data processing and the harm that may result from a security breach), although contractual obligations implemented to fulfil the data user’s obligations under DPP2(3) and DPP4(2) may include:

• Security measures required to be taken by the data processor to protect the personal data;
• Timely return, destruction or deletion of personal data when it is no longer required for the purpose it was entrusted to the data processor;
• Measures to be taken by the data processors, such as policies and procedures and training for staff; and
• A data user’s right to audit and inspect how the data processor handles and stores personal data.

There are currently no laws or restrictions dealing specifically with tracking technologies such as cookies or profiling and automated decision making. However, online tracking activities must comply with the provisions of the PDPO.

The PCPD has issued an information leaflet on Online Behavioural Tracking which reiterates the need for organisations to comply with the requirements of the PDPO, including the DPPs, if their online tracking involves the collection of personal data. The PCPD recommends that organisations:

1. Inform users of the types of information that are being tracked and whether any third party is tracking their behavioural information;
2. Offer users a way to opt out of the tracking; and
3. If personal data of website users is being collected, a PICS must be provided to data subjects (outlined under DPP1(3)).

Online tracking information held by data users should be accurate, should not be kept for longer than necessary, and should only be used for the purposes originally stated at the time of collection. Data subjects’ express and voluntary consent must be given for any change to the purpose of use.

If cookies are used to collect behavioural information, it is also recommended that a reasonable expiry date for the cookies is pre-set, that the contents of the cookies are encrypted whenever appropriate, and that organisations do not deploy techniques that ignore browser settings on cookies unless they can offer an option to website users to disable or reject the cookies.

If a website deploys third-party cookies, regardless of whether any personal data is involved, it should state clearly what kind of information the cookies collect, to whom the information may be transferred and for what purposes.

Organisations which use online tracking technologies should also adopt privacy-enhancing technologies to minimise the risk of personal data exposure, such as encryption or hashing to maintain data confidentiality, a ‘robots exclusion protocol’ to prevent search engines from indexing websites, and ‘anti-robot verification’ to stop databases from being downloaded in bulk by automation.

Further guidance can be found in the PCPD’s Guidance for Data Users on the Collection and Use of Personal Data through the Internet.

The PDPO does not include a definition for, nor specifically regulate, “cross-contextual behavioural advertising”, although the PCPD has provided guidance on online behavioural tracking.

As noted in question 20 above, there are no restrictions on online tracking for advertising or marketing purposes. However, organisations carrying out such activities should adopt the following best practices in compliance with the requirements under the PDPO (including the DPPs):

• inform users what type of information is being collection or tracked by them, the purpose of collection, how the information is collected, whether the information will be transferred to third parties (and, if so, the third party and the purpose of the transfer), whether the information will be combined with other information to track/profile users and for how long the information will be kept;
• inform users whether any third-party is collecting or tracking their behavioural information. As the organisation engages the third-party to collect or track user behaviour, it is the organisation’s responsibility to understand from the third-party what information is being collected and the means by which the information is collected. Organisations should inform users of the nature of such third-parties, purpose and means of collection, retention period and whether such information collected would be further transferred to other parties by the third party; and
• respect any user’s wish not to be tracked or to offer users a way to opt out of the tracking (especially if this is conducted by third-parties) and inform them of the consequence of opting out. If it is not possible to opt out of tracking while using the website, explain why this is not possible so that website users can decide whether to continue using the website.

For more guidance, please see the PCPD’s information leaflet on Online Behavioural Tracking.

Although the sale of personal data is not specifically prohibited by the PDPO, it would not normally be regarded as the original purpose of data collection or a directly-related purpose. In these circumstances, explicit and voluntary consent from the data subject must be sought in compliance with DPP3. Consent may be indicated by a signature or a tick box.

Direct marketing

The PDPO contains express provisions related to the use of personal data for direct marketing. The PDPO defines “direct marketing” as:

1. the offering, or advertising of the availability, of goods, facilities or services; or
2. the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political of other purposes,

through “direct marketing means”.

“Direct marketing means” are in turn defined as:

1. sending information or goods, addressed to specific persons by name, by mail, fax, e-mail or other means of communication; or
2. making telephone calls to specific persons.

It does not include communications that are not directed to a specific individual, e.g. a marketing call to the unidentified owner of a particular telephone number (which is regulated under the Unsolicited Electronic Messages Ordinance (Cap. 593)).

Using personal data for direct marketing purposes

The PDPO places detailed prescriptions on the manner in which personal data can be used for direct marketing, the information that a data user must provide to the data subject in order to be able to use the personal data for direct marketing, and the express prior consent that the data user must obtain from a data subject in order to be able to use personal data for direct marketing purposes.

The PCPD has made clear that sending individuals an opt-out message is not a valid channel of obtaining consent.

If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use (s.35G of the PDPO). The data subject should be informed of this right on the first occasion that the data user contacts the data subject for direct marketing purposes (s.35F of the PDPO).

Provision of Personal Data to a Third Party for Direct Marketing Purposes

A data user must also not provide personal data to a third party for its direct marketing use without the data subject’s informed written consent (s.35K of the PDPO), having notified the data subject of various factors relating to the proposed transfer and use of the personal data (pursuant to s.35J of the PDPO).

Biometric data falls within the definition of personal data for the purposes of the PDPO, both in the form of physiological data with which individuals are born and behavioural data developed by an individual after birth. It is potentially sensitive data, and any disclosure could lead to harm to the data subject. Persons collecting and / or using (or controlling) biometric data must therefore comply with the PDPO as data users.

The PCPD has issued Guidance on Collection and Use of Biometric Data, including several recommendations on how to handle and keep biometric data in compliance with the PDPO and DPPs (including, for example, to conduct a privacy impact assessment prior to collecting biometric data, to encrypt biometric data both at rest and in transit, and to restrict access to biometric data to authorised persons on a need-to-know basis).

The PDPO contains specific provisions restricting cross-border transfers of personal data, but these have never been brought into force. Data users must still comply with their other obligations under the PDPO in any such transfer, including obtaining consent for the proposed use and transfer of personal data.

The PCPD has issued Guidance on Personal Data Protection in Cross-border Data Transfer which serves as a practical guide for data users to prepare for the future implementation of these provisions.

DPP4 requires data users to “take all practicable steps” to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. It does not impose an obligation to actually prevent such events occurring.

In determining what constitutes practicable steps, the data user should consider:

• The nature of the data and the damage that could result from unauthorised or accidental access, processing, erasure, loss, or use;
• The physical location of the data;
• Any physical security measures available for the equipment storing personal data;
• Any measures for ensuring the integrity, discretion, and competence of those with access to the data; and
• Any measures for ensuring secure transmission of the data.

There is no statutory definition of ‘security breaches’. The PCPD’s Guidance on Data Breach Handling and the Giving of Breach Notifications explains that a ‘security breach’ is “generally taken to be a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised or accidental access, processing, erasure, loss or use” and may amount to a contravention of DPP4(1) and (2).

See question 13 above for further consideration of guidance in relation to a data breach.

Given the general scheme of the PDPO, several sectors and industries impose their own additional data security obligations. These include banking and financial services, insurance and telecommunications, which have their own codes of practices and guidelines published by the PCPD and their own sector specific regulations.

Banking and financial services

PCPD

The PCPD has published a Code of Practice on Consumer Credit Data (which provides practical guidance to data users in handling the collection, accuracy, use, security and access, and correction related to personal data of applicants for consumer credit), and Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry (which provides practical guidance to the banking industry on understanding and complying with relevant data protection requirements under the PDPO, and suggested best practice for the  collection, accuracy, retention, use, security of and access to customers’ personal data).

HKMA

The Hong Kong Monetary Authority (HKMA) has issued several Circulars related to technology risk management to provide guidance and reminders in relation to the technological security requirements and controls to be observed by authorised financial institutions.

SFC

The Securities and Futures Commission (SFC) has also issued guidance and FAQs and circulars on cybersecurity most recently in relation to internet trading, remote office arrangements, and use of external electronic data storage.

The SFC’s Code of Conduct for Persons Licensed by and Registered with the Securities and Futures Commission (last updated in December 2020) provides specific provisions relating to information security, including section 12.5 (requiring a licensed or registered person to report to the SFC immediately upon “any material failure, error or defect in the operation or functioning of its trading, accounting, clearing or settlement systems or equipment“) and section 18.5 (requiring a licensed or registered person to ensure the integrity and security of any electronic trading system it uses or provides to clients). The SFC has also stated its expectation that a licensed or registered person should report a “material cybersecurity breach“.

Whether a security breach must be notified to the SFC will therefore depend on the extent and impact of the breach. A licensed or registered person may choose to notify the SFC of a breach voluntarily, particularly given the SFC’s recent attention to cybersecurity in thematic reviews and regulatory audits.

Insurance

The PCPD has published Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry, which provides practical guidance to insurance institutions on complying with the PDPO and DPPs when handling data in their business operation. For example, in the collection of customers’ medical data and PII, and the engagement of private investigators in insurance claims.

The Insurance Authority has also issued a Guideline on Cybersecurity, which outlines the minimum standards that authorised insurers are expected to meet in relation to the handling of personal data of existing or potential policyholders. Whilst these Guidelines do not have the force of law, they are taken into account by the Insurance Authority when considering fitness and properness of the directors or controllers of authorised insurers to which the Guidelines apply, and non-compliance may impact upon this. In particular, this sets out that authorised insurers are expected to put in place and maintain a cybersecurity strategy and framework. There are also sector-specific guidelines, such as the Guideline on Medical Insurance Business, which advises that authorised insurers and licenses insurance intermediaries should “at all times, exercise due care and diligence in collecting, handling, storing, using, transferring and erasing customers’ personal data” and comply with the PDPO and its guidance.

Telecommunications

The PCPD has published Guidance for Mobile Service Operators, providing practical guidance to mobile service operators to comply with the PDPO in their business operations e.g. collection of personal data when handling mobile phone service applications, maintenance of customers’ service accounts and relevant retention/change of customers’ personal data etc.

The Office of the Communications Authority has also issued Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service, aimed at operators providing “adequate security measures in their networks to protect user data communications” including protecting the confidentiality and integrity of user data (among other things).

Human Resource Management

The PCPD has issued the Code of Practice on Human Resource Management to provide practical guidance to data users performing human resource management functions and activities. Non-compliance with any mandatory provisions of the Code will count unfavourably against the data user both in any investigation before the PCPD, and in any judicial case related to any alleged breach of the PDPO.

Health data

The PCPD has published the Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals), providing practical guidance to public and private healthcare providers in the handling, accessing and sharing of patients’ personal data through the Electronic Health Record Sharing System in compliance with the PDPO.

Property management

The PCPD has published the Guidance on Property Management Practices to assist property management bodies in understanding and complying with the PDPO in specific situations which may arise during their operations.

There is no legal requirement under the PDPO to report security breaches to the PCPD. The PCPD has recommended that businesses should report a data security breach as part of proper data breach handling. Please see question 13 above.

The PCPD is considering with the HKSAR Government whether to introduce mandatory data breach notification obligations. See questions 1 and 13 above.

Businesses may also face sector-specific breach notification obligations under applicable regulations, such as the SFC. See question 28 above.

There is no single piece of legislation in Hong Kong that deals specifically with handling cyber-crimes. Section 161 of the Crimes Ordinance (Cap. 200) provides offences related to accessing a computer with criminal or dishonest intent including an offence of “obtain[ing] access to a computer” with a dishonest intent or objective.

The official position of Hong Kong law enforcement authorities is that they do not recommend paying a ransom. However, there is no law in Hong Kong specifically prohibiting the payment of ransoms.

Section 25 of the Organised and Serious Crimes Ordinance (Cap. 455) (OSCO) provides an offence for any person (including a victim) to make a payment to a person when they know or have reasonable grounds to believe that the ransom payment represents the proceeds of an indictable offence.

In the case of HKSAR v Tsang Wai Lun Wayland and others [2014] 4 HKC 101, the Court of Final Appeal held that “proceeds of an indictable offence” does not include ‘clean’ money intended to be used as an instrument for committing an indictable offence. However, if there is a relationship of ‘reward’ linking the payment and the commission of the offence, the payment may qualify under OSCO. Therefore, there is a risk that a ransom payment may be considered “proceeds of an indictable offence” if it was paid in the knowledge that it was a bribe paid to obtain a decryption key for the release of data.

The specific application to a cyber ransom payment has not yet been tested in the Hong Kong Courts. However, Hong Kong generally follows the Common Law and the English Court of Appeal held that a ransom payment only becomes criminal property in the hands of the recipient (in the case of a cyberattack, the threat actors), rather than when in the hands of a payer (R v L & Ors [2005] EWCA Crim 1579, dealing with the position under s.327 of the English Proceeds of Crime Act 2002).

That said, section 25A OSCO provides a defence to a prosecution under s.25 OSCO if the victim notifies an “authorised officer” (i.e. the Hong Kong police) of the payment in advance and obtains consent, or if the victim notifies an authorised officer as soon as it is reasonable to do so after making the payment.

A person considering paying a ransom must check relevant sanctions lists to ensure that the recipient is not a known terrorist organisation or sanctioned person.

There are also industry-specific data breach notification requirements. Please see question 28 above.

No. The Hong Kong Computer Emergency Response Team (HK Cert) and the Hong Kong Police Force Cyber Security and Technology Crime Bureau (CSTCB), have been established to help victims of cybercrime, but they are not regulators.

Yes. Data subjects are entitled to information and other specific rights under the PDPO and DPPs.

DPP5 provides a right of access to information by requiring that all practicable steps must be taken to ensure that a data subject can be informed of the kinds of personal data a data user holds and the main purposes for which this data is or is to be used.

DPP6 also provides a data subject with the right to:

1. ascertain whether a data user holds personal data of which s/he is the data subject;
2. request access to personal data, within a reasonable time, for a fee which is not excessive, in a reasonable manner and in a form that is intelligible;

• request the correction of personal data; and

1. object to any refusal of access.

Part 5 of the PDPO provides detailed provisions regarding the manner and timeframe for compliance with data access and correction requests. A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO).

Data subjects have a right to withdraw their consent to using their personal data for direct marketing purposes at any time, and the data user must comply by stopping all such use of their personal data (s.35G of the PDPO).

There is no specific right under the PDPO to request deletion of data, but data users are required to take all practical steps to erase personal data when it is no longer required to fulfil the original purposes of collection and use, unless the erasure is prohibited by law or it is in the public interest not to erase the data (s.26(1) of the PDPO).

Sections 20 and 24 of the PDPO provide certain exceptions to a data user’s obligation to comply with data access or correction requests, for example where the data subject does not supply enough information to verify his/her identity. A data user may also refuse to comply with a data access or correction where:

• it is not supplied with enough information to locate the applicable personal data;
• the request is not made in writing in Chinese or English;
• the request follows two or more similar requests and it is unreasonable for the data user to comply with the request;
• (concerning data access requests) the request is not made on the specified Data Access Request Form;
• (concerning data correction requests) the data user is not supplied with information as it may reasonably require to ascertain the relevant personal data’s inaccuracy, or that the correction is accurate; or
• any of the exemptions specified under Part 8 of the PDPO applies.

The PCPD has published Guidance Notes on the Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users, and the Proper Handling of Data Correction Request by Data Users.

Individual data privacy rights can be enforced by either:

• the PCPD, who carries out investigations upon data subjects’ complaints on possible breaches of their rights in handling their personal data; or
• a data subject through the civil courts, where the data subject can show that they have suffered damage resulting from a data user’s infringement of the data subject’s rights. This can prove difficult in practice since class actions are not permitted in Hong Kong and individual losses may not be sufficient to justify a data subject bringing a claim.

Yes. Section 66 of the PDPO provides that a data subject may commence civil proceedings against a data user who contravenes the PDPO to seek compensation if they can show that the contravention caused damage.

Yes. The general rule is that damages must compensate for actual loss, but s.66(2) of the PDPO also allows for claims for damages in respect of injury to feelings. The quantum of damages is fact-sensitive to be decided in each case.

Generally, by the PCPD which exercises both investigative and enforcement powers.

Investigative powers

The PCPD may conduct an investigation where it (i) receives a complaint on a possible breach of PDPO; or (ii) has reasonable grounds to believe that there may be a contravention of the PDPO (s.38 of the PDPO). Although the PCPD has a statutory obligation to conduct an investigation upon receipt of a complaint, the PCPD may refuse to conduct, or can decide to terminate, an investigation initiated by a complaint under certain circumstances (s.39 of the PDPO) including:

• the complainant has known about the act complained of for more than 2 years immediately preceding the date of receipt of the complaint;
• the complaint is made anonymously;
• the complaint is substantially similar in nature to a previously initiated investigation in which the PCPD found no contravention of PDPO; or
• the PCPD is of the opinion that an investigation is unnecessary.

In practice, before starting a formal investigation the PCPD may conduct an informal ‘compliance check’.

The PCPD has a range of formal investigative powers, including power to enter premises for investigation with a warrant or with prior written notice (s.42 of the PDPO) and to require production of documents for the purpose of an investigation (s.44 of the PDPO). The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). The Amendment Ordinance also contains additional investigation powers in respect of the two-tier doxxing offences. The PCPD may issue written notices to persons who may be able to assist the PCPD’s investigation to require the provision of materials and assistance (s.66D of the PDPO). The PCPD may also enter premises for investigation without a warrant and seize evidence stored on electronic devices (including the power to access, seize, decrypt, search and reproduce the device) (s.66G of the PDPO).

Enforcement powers

The PCPD generally has no direct power to sanction a breach of a DPP, although breach of certain provisions of the PDPO (about which see question 37 below) is a criminal offence, punishable by fines and/or imprisonment. This includes where a data user contravenes the requirements of an enforcement notice. Where a breach of a section of the PDPO is a criminal offence, the PCPD may refer the matter to the Hong Kong Police Force to investigate.

The PCPD is considering with the HKSAR Government whether to introduce a direct administrative fining power for the PCPD.

The PCPD may publish enforcement reports of its investigations or inspections (on its website) if it considers that it is in the public interest to do so (s.48(2) of the PDPO). If the PCPD finds a breach of the PDPO after conducting an investigation, it may issue a written enforcement notice requiring the data user to take remedial or preventive steps (s.50 of the PDPO).

If a data subject has suffered damage from a breach of the PDPO, the PCPD may also grant legal assistance to a data subject to institute proceedings against the relevant data user for compensation (s.66B of the PDPO).

An officer authorised by the PCPD may, without warrant and with the use of reasonable force, stop, search and arrest any person whom the officer reasonably suspects to have committed doxxing-related offences under the PDPO.

Depending on the section of the PDPO, a person committing an offence may be liable to a fine of up to HKD10,000 – HKD1,000,000 (approx. US$1,300 – US$1.3 million) and/or imprisonment for up to 6 months – 5 years.

Below are some examples of criminal offences under the PDPO and their respective penalties:

• a data user using personal data in direct marketing without the data subject’s consent (s.35E(4) of the PDPO) or without giving notice to the data subject (s.35C(5) of the PDPO) is liable to a fine of up to HKD500,000 and imprisonment for up to 3 years;
• a data user providing personal data to a third party for direct marketing purposes in exchange for gain, without giving notice to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.35J of the PDPO);
• a data user contravening an enforcement notice is liable to (s.50A of the PDPO):
  • on first conviction – a fine of up to HKD50,000 and imprisonment for up to 2 years, and a daily penalty of HKD1,000 if the offence continues; and
  • on subsequent convictions – a fine of up to HKD100,000 and imprisonment for up to 2 years, and a daily penalty of HKD2,000 if the offence continues;
• a data user failing to comply with the requirements of the PCPD in exercising its powers under the PDPO is liable to a fine of up to HKD10,000 and imprisonment for up to 6 months (s.50B, PDPO); and
• any person disclosing personal data obtained, without consent from the data user with intent to gain or cause loss to the data subject, or where the disclosure causes psychological harm to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.64 of the PDPO).

The sanctions introduced by the Amendment Ordinance in relation to the two-tier doxxing offences are set out in question 1 above.

The PCPD has prepared a table summarising the various offences under PDPO and their respective penalties.

Industry-specific regulators also have their own powers to enforce any breach of their own regulatory framework, and to impose sanctions applicable to the relevant regulatory breach.

An appeal against an enforcement notice issued by the PCPD can be made to the Administrative Appeals Board within 14 days after the notice is served (s.39 of the PDPO).

The PDPO has been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), to strengthen the protection of data subjects. The proposed reforms include:

• Mandatory data breach reporting;
• Requirement for data users to formulate an express and clear data retention policy;
• Administrative fines for breaches of the PDPO;
• Direct regulation of data processors; and
• Extending the scope of the PDPO to “identifiable persons”.

The PCPD has recently confirmed that it is considering further amendments to the PDPO with the HKSAR Government.

The extent or timetable of further reforms is not yet publicly known. Anyone considering their rights and obligations under Hong Kong law should check the status of the proposed amendments.