Hong Kong: TMT

N/A

Communications networks and services are regulated in Hong Kong. Some key pieces of legislation governing communications networks and services include:

• Telecommunications Ordinance (Cap. 106);
• Broadcasting Ordinance (Cap. 562);
• Broadcasting (Miscellaneous Provisions) Ordinance (Cap. 391);
• Communications Authority Ordinance (Cap. 616);
• Competition Ordinance (Cap. 619);
• Trade Descriptions Ordinance (Cap. 362); and
• Unsolicited Electronic Messages Ordinance (Cap. 593).

Under the Telecommunications Ordinance, a licence is required where any person, in Hong Kong or on board any ship, aircraft or space object that is registered or licensed in Hong Kong:

• establishes or maintains any means of telecommunications;
• offer as a business a telecommunications service; and
• possess or use any apparatus for radiocommunications, or deal in or demonstrate with a view to sale any apparatus or material for radiocommunications.

Telecommunications services can be provided by facility-based operators (“FBOs”) or service-based operators (“SBOs”).

FBOs are authorized to establish and maintain telecommunications networks and services for the provision of public telecommunications services. They are mainly licensed under the following:

• Unified Carrier Licence (“UCL”) – this is the carrier licence to be issued for the provision of facility-based fixed, mobile and/or converged services; and
• Public Radiocommunications Service Licences – services that may be authorized under this licence include radio paging, community repeater (trunked radio) services, vehicle location information services, one-way data message services and public mobile radio data services.

SBOs rely on the networks and facilities established by licensed FBOs for the provision of public telecommunications services. An SBO licence may cover the following services:

• Class 1 and Class 2 services – local voice telephony services provided to fixed and/or mobile customers; and
• Class 3 services – this covers external telecommunication services, international value-added network services, mobile virtual network operator services, public radio communications relay services, teleconferencing services, private payphone services, security and fire alarm signals transmission services, mobile communications services on board an aircraft services, and any other services designated by the Communications Authority as Class 3 services.

There are also other types of licences, for example, Localised Wireless Broadband Service Licences, Wireless Internet of Things Licences, and “class licences”, where a provider that falls within a particular class and complies with the relevant terms and conditions would be licensed without having to apply to the Communications Authority for a licence.

The Communications Authority, through its executive arm, The Office of the Communications Authority (OFCA), is the primary regulator of the telecommunications and broadcasting industries in Hong Kong. It also enforces the Unsolicited Electronic Messages Ordinance.

The Communications Authority shares concurrent jurisdiction with the Customs and Excise Department in enforcing the fair trading provisions of the Trade Descriptions Ordinance (Cap. 362) in relation to the commercial practices of licensees in connection with the provision of telecommunications or broadcasting services. It also shares concurrent jurisdiction with the Competition Commission in relation to the conduct of undertakings under the Telecommunications Ordinance and Broadcasting Ordinance.

The Communications Authority is an independent statutory body established under the Communications Authority Ordinance.

Hong Kong does not have laws specifically regulating platform providers, although there are various laws that may apply to acts of platform providers.

For example, platform providers may be liable for defamatory statements made by users. However, they would normally be regarded as “subordinate publishers” and may be able to rely on the innocent dissemination defence if they could demonstrate that they did not know the article contained offending content, and that their lack of knowledge was not due to any failure to exercise reasonable care on their part. The defence may still be available upon receiving notice of the offending content if the platform provider promptly takes all reasonable steps to remove the content as soon as reasonably practicable.

Under the Implementation Rules for Article 43 of the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (the “Implementation Rules”), a public officer designated by the Secretary for Security may require a platform provider to provide assistance in connection with the exercise of the officer’s power to remove messages endangering national security, which may include removing the message from the platform or restricting access by any person to the message. In addition, a police officer may require a platform provider to provide identification record or decryption assistance for the electronic message. A platform provider that fails to comply with the requirements will commit an offence and is liable on conviction to a fine of HK$100,000 and imprisonment for six months.

The Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”) would also apply to platform providers in relation to the collection, processing and use of personal data. Please see questions 9 to 12 below for further information. In a recent paper issued by the Constitutional and Mainland Affairs Bureau proposing amendments to the PDPO, it has been proposed that platform providers would be required to take rectification actions upon request, such as removing content within a designated timeframe, in relation to “doxxing”, the disclosure of personal data of targeted persons on online search engines and social platforms with an intent to threaten, intimidate, harass or cause psychological harm to the person.

In general, laws in Hong Kong do not have extra-territorial effect unless it is expressly stated in the legislation.

The powers exercisable by a designated public officer or police officer under the Implementation Rules have extra-territorial effect and apply to electronic messages, identification records, description keys and platform providers within or outside Hong Kong.

The PDPO does not apply to a foreign entity that has no operations controlled within or from Hong Kong, and therefore the jurisdiction and power of the Privacy Commissioner of Personal Data do not extend to regulate and control the conduct of a platform provider whose operations are not controlled within or from Hong Kong.

A holder of a UCL or SBO licence must be registered in Hong Kong under the Companies Ordinance (Cap. 622). However, the Communications Authority may consider the application of a company incorporated outside Hong Kong, provided that it is registered as a non-Hong Kong company under the Companies Ordinance.

There are no restrictions on foreign ownership of UCL or SBO licensees in Hong Kong.

In general, operators can enter into interconnection agreements through commercial negotiations without intervention by the Communications Authority. However, if it considers it is in the public interest to do so, the Communications Authority may make a determination on the terms of interconnection. The determination may include any technical, commercial and financial terms and conditions that the Communications Authority considers fair and reasonable.

An operator in a dominant position is prohibited from engaging in conduct that the Communications Authority considers is exploitative in relation to the provision of interconnection between telecommunications systems or services or any element of a telecommunications network, system, installation or service.

The Telecommunications Ordinance prohibits a licensee in a dominant position from engaging in conduct that the Communications Authority considers exploitative, which may include fixing and maintaining prices or charges at an excessively high level or setting unfair trading terms and conditions. The Telecommunications Ordinance also requires a licensee that is subject to a universal service obligation to ensure that a good, efficient and continuous basic service is reasonably available to all persons within the areas of Hong Kong covered by that obligation. PCCW-HKT Telephone Limited and Hong Kong Telecommunications (HKT) Limited are jointly and severally liable for the universal service obligation.

The Trade Descriptions Ordinance regulates unfair trade practices against consumers, including false trade descriptions of goods and services, misleading omissions, aggressive commercial practices, bait advertising, bait-and-switch and wrongly accepting payment. The Trade Descriptions Ordinance gives the Communications Authority concurrent jurisdiction with the Customs and Excise Department in enforcement with respect to licensees under the Telecommunications Ordinance.

The Unsolicited Electronic Messages Ordinance regulates pre-recorded electronic messages including pre-recorded telephone messages, fax and text messages. The Ordinance requires senders to provide accurate sender information and an unsubscribe facility to recipients, and prohibits commercial electronic messages to be sent to any telephone or fax number registered in “do-not-call registers” established by the Communications Authority.

The predecessor of the Communications Authority issued a voluntary Code of Practice for Communication Service Contracts, which provides guidance in relation to communications customer contracts, including cooling-off periods and arrangements for termination of contracts. In addition, the Communications Association of Hong Kong has also issued a Code of Practice for Telecommunications Service Contracts. This industry code may be adopted by service providers on a voluntary basis, and has the objective of enhancing customer satisfaction and improving the clarity of provisions in telecommunications service contracts.

Computer software is protected under copyright law. Under the Copyright Ordinance (Cap. 528), copyright subsists in original “literary works”, which are defined to include a computer program as well as preparatory design material for a computer program. The person creating the computer software has an exclusive right to copy and distribute the software until 50 years from the end of the calendar year in which the person dies. If the work is computer-generated, copyright protection will expire at the end of 50 years from the end of the calendar year in which the work was made.

A program for a computer is expressly excluded from being an invention that is patentable under the Patents Ordinance (Cap. 514). However, patent protection may be available for software related inventions that are not merely computer programs, for example, if the software solves a technical problem or produces a “further technical effect”.

Databases may also be protected as a “literary work” under the Copyright Ordinance, which is defined to include a compilation of data or other material, in any form, which by reason of the selection or arrangement of its contents constitutes an intellectual creation, including but not limiting to a table. As with computer software, the author has copyright protection until the end of 50 years from the end of the calendar year in which the person dies.

The PDPO sets out key protections for personal data. Personal data must be collected for a lawful purpose directly related to a function or activity of the data user, and the collection must be necessary, adequate and directly related to that purpose and not excessive. It must be collected by lawful and fair means. When personal data is collected, all practicable steps must be taken to ensure that the data subject is informed of the purpose of the collection, the classes of persons to whom the data is to be transferred, and whether it is obligatory or voluntary to supply the data.

Personal data must not be kept longer than is necessary for fulfilment of the purpose for which the data is to be used. Steps must be taken to protect the personal data against unauthorized access or loss, and a data subject is entitled to request access to and correction of his or her personal data.

Personal data must not, without the prescribed consent of the data subject, be used for a purpose other than the original purpose for which it was collected. A data user that intends to use personal data of a data subject in direct marketing must inform the data subject of the kinds of personal data to be used and classes of marketing subjects in relation to which the data is to be used. The data user may not use the data unless it has received consent from the data subject to the intended use. The data subject may at any time require a data user to cease to use the data subject’s personal data in direct marketing.

Section 33 of the PDPO contains restrictions on the transfer of personal data outside Hong Kong. However, the provision is not yet in operation. When it comes into effect, section 33 prohibits a data user from transferring personal data outside Hong Kong except in specified circumstances, for example:

• it is a place that the Privacy Commissioner for Personal Data has listed as having data protection laws that are substantially similar as the PDPO;
• if the data user has reasonable grounds for believing that the data protection laws are substantially similar to the PDPO;
• if the data subject has consented in writing; or
• if the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not be collected, held, processed or used in a manner which, if it were in Hong Kong, would be a contravention of the PDPO.

The Privacy Commissioner for Personal Data has issued a Guidance on Personal Data Protection in Cross-border Data Transfer, encouraging data users to adopt practices in relation to cross-border transfers of personal data.

A person who discloses any personal data of a data subject which was obtained without the data user’s consent, with an intent to obtain gain or cause loss to the data subject or where the disclosure causes psychological harm to the data subject, will be liable to a fine of HK$1 million and imprisonment for five years. A data user that breaches the direct marketing provisions, including using the data subject’s personal data in direct marketing without obtaining informed consent from the data subject, commits an offence and is liable to a fine of HK$500,000 and imprisonment for three years, and if the data is provided to a third party for gain, a fine of HK$1 million and imprisonment for five years.

Where the Privacy Commissioner for Personal Data, upon completion of an investigation, is of the opinion that a data user has contravened a requirement under the PDPO, it may serve an enforcement notice to the data user to remedy or prevent any further contravention. If the data user contravenes an enforcement notice, it will commit an offence and is liable on first conviction to a fine of HK$50,000 and imprisonment for two years, and a daily penalty of HK$1,000 if the offence continues. Upon subsequent convictions, the data user is liable to a fine of HK$100,000 and imprisonment for two years, and a daily penalty of HK$2,000 if the offence continues. A person who suffers damage by reason of a contravention will also be entitled to compensation from the data user for the damage.

The PDPO also contains provisions imposing criminal liability on other contraventions.

In general, the data protection standards required under the GDPR are more stringent compared with those under the PDPO. The Privacy Commissioner for Personal Data is working with the Hong Kong Government to consider amending the PDPO to strengthen the protection for personal data, with reference to modern data protection regimes such as the GDPR. The proposals include introducing a mandatory data breach notification mechanism, requiring the setting out of a data retention policy, increasing the PCPD’s sanctioning powers, regulating data processors directly, clarifying the definition of personal data to include information relating to an identifiable natural person, and introducing amendments to specifically regulate doxxing.

There is not a specific law in Hong Kong regulating cloud computing. In terms of data protection, the PDPO does not directly regulate cloud services providers as data processors. However, the PDPO requires data users who engage data processors to adopt contractual or other means in order to prevent any personal data transferred to the data processor from being kept longer than is necessary for processing of the data, as well as to prevent unauthorized or accidental access, processing, erasure, loss or use of the data transferred to the data processor for processing. The Privacy Commissioner for Personal Data has issued an information leaflet on factors data users should consider when considering engaging cloud computing, including cross- border data flows, sub-contracting arrangements, standard contract terms, service and deployment models, and other outsourcing issues.

Industry regulators have issued sector-specific guidelines that may be relevant to the use of cloud-based services by regulated entities. For example, Hong Kong Monetary Authority (the “HKMA”) has issued guidelines on outsourcing and general principles for technology risk management for authorized institutions. The Securities and Futures Commission (the “SFC”) has issued a circular to licensed corporations and related frequently asked questions on the use of external electronic data storage, setting out requirements where a licensed corporation’s regulatory records are kept with electronic data storage providers, including application for approval by the SFC and allowing access by the SFC to the regulatory records. The Insurance Authority (the “IA”) has also issued a Guideline on Outsourcing and Guideline on the Use of Internet for Insurance Activities, with guidance on issues that authorized insurers are expected to consider in formulating and monitoring its outsourcing arrangements such as due diligence on the service provider, maintenance of confidentiality and information security, as well as notice to be given to the IA. The Office of the Government Chief Information Officer has also issued a Practice Guide for Cloud Computing Security on the secure adoption of cloud computing technology in the Government.

In general, there are no formalities on the execution of simple contracts. Under the Electronic Transactions Ordinance (Cap. 553), an offer and acceptance in the context of formation of contracts may be in whole or in part expressed by means of an “electronic record”, that is, a record generated in digital form by an information system, which can be transmitted from one information system to another and stored in an information system or other medium.

Where a rule of law requires a signature on a document or provides for consequences if the document is not signed, and the transaction does not involve a government entity, an electronic signature would satisfy the signature requirement. “Electronic signature” consists of any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record. The conditions to be satisfied include:

• the person providing the electronic signature must use a method to attach it to an electronic record for the purpose of identifying himself and indicating his authentication or approval of the information contained in the electronic record;
• the method used must be reliable and appropriate for the purpose for which the information contained in the document is communicated; and
• the person to whom the electronic signature is given must consent to the use of the method.

However, electronic signatures may not be used for certain types of documents specified in Schedule 1 to the Electronic Transactions Ordinance. These include instruments required to be stamped or endorsed under the Stamp Duty Ordinance (Cap. 117), trusts, powers of attorney, negotiable instruments, real property-related documents, testamentary documents, and oaths, affidavits and statutory declarations. In addition, given the uncertainties and the potential consequences of not validly executing a deed, wet ink signatures should be used for execution of deeds.

There is no automatic transfer of employees, assets or third party contracts to the outsourcing supplier upon an outsourcing of IT services. Any transfers would normally be governed by the commercial terms of the contract.

Where employees are transferred pursuant to an outsourcing arrangement, the transfer would involve terminating the existing employment contract with the employee and entering into a new employment contract between the employee and the outsourcing supplier. The original employer would need to pay any outstanding employment entitlements including any statutory severance payments and long service payments. Where the outsourcing supplier is an associated company of the original employer and has made an offer not less than seven days before the termination date to re-engage the employee, the continuity of employment would be preserved and the original employer would not be required to pay severance and long service payments at the time of transfer.

Where there is a transfer of third party contracts under the outsourcing arrangement, the consent of the third parties would generally need to be obtained.

Hong Kong does not have any laws or regulations specifically targeting A.I., and therefore it is unclear under the existing legal framework which party would be liable in the event of A.I. malfunctioning. Where the A.I. software constitutes part of goods or services sold to consumers, product liability laws may apply. Tort law principles may also be applicable. However, if the A.I. software engages in machine learning using data from external sources or has been trained with input from the user, it is arguable whether the chain of causation would be broken. In any event, liability for any defects would typically be provided for under the terms of the contract.

Some sector-specific guidelines have been introduced as regulated entities adopt A.I. technology in their businesses. The HKMA has stressed that the board and senior management of authorized institutions should remain accountable for all the big data analytics and A.I.-driven decisions and processes, and should ensure proper governance and risk management frameworks are in place to oversee the use of A.I. applications.

a) obligations as to the maintenance of cybersecurity;

There is not a single piece of legislation in Hong Kong governing cybersecurity issues. There are various laws that may impose criminal liability on cybercrimes (see question 17.2 below). The PDPO requires that all practicable steps to be taken to ensure that any personal data held by a data user is protected against unauthorized or accidental access, processing, erasure, loss or use. Considerations include the physical location and equipment in which the data is stored, the persons having access to the data, and the secure transmission of the data. In addition, industry regulators have issued guidelines on cybersecurity applicable to participants in those industries. Some examples are set out below.

The HKMA has implemented a Cybersecurity Fortification Initiative in December 2016 to raise cyber resilience in the Hong Kong banking system. The initiative includes a framework for authorized institutions to assess their risk profiles, programme for certification and training of cybersecurity professionals and platform for sharing intelligence on cyber attacks. The HKMA has also issued a Guide to Enhanced Competency Framework on Cybersecurity on the competency standards of cybersecurity practitioners in the Hong Kong banking industry.

The SFC has issued guidelines to licensed corporations, such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading on the minimum standards to mitigate hacking risks. The SFC also issued a number of circulars to licensed corporations on good industry practices on IT risk management and cybersecurity, use of external electronic data storage, remote office arrangements, as well as frequently asked questions on cybersecurity and recommendations from a thematic cybersecurity review of internet brokers.

The IA has issued a Guideline on Cybersecurity, setting out minimum standards for cybersecurity that authorized insurers are expected to have in place and general principles the IA uses in assessing the effectiveness of an insurer’s cybersecurity framework.

The Office of the Government Chief Information Officer has also published guidelines to government bureaux, departments and agencies on cybersecurity and other IT security issues.

b) the criminality of hacking/DDOS attacks?

Some of the existing laws that impose criminal liability on hacking, DDOS attacks and other cybercrimes include the following:

• the Crimes Ordinance (Cap. 200) imposes criminal liability on access to computer with criminal or dishonest intent, and destroying or damaging property, with liability on conviction to imprisonment for five and ten years, respectively;
• the Telecommunications Ordinance provides for an offence of unauthorized access to computer by telecommunications, with liability on conviction to a fine of HK$25,000;
• the Theft Ordinance (Cap. 210) sets out offences for fraud, blackmail, theft and burglary, with liability upon conviction to imprisonment for ten to 14 years; and
• the PDPO provides for offences for disclosing personal data of a data subject obtained without the data user’s consent, with an intent to obtain gain or cause loss, or where the disclosure causes psychological harm to the data subject, with liability on conviction to a fine of HK$1 million and imprisonment for five years.

Hackers are commonly prosecuted under section 161 of the Crimes Ordinance for the offence of access to a computer with criminal or dishonest intent. If the act involves an unauthorized transfer of funds, they may also be charged under the theft or fraud offences in the Theft Ordinance. Persons participating in DDOS attacks may be charged under section 60(1) of the Crimes Ordinance for destroying or damaging property without lawful excuse, which is defined to include misuse of a computer.

The development of financial technology is a key focus for Hong Kong as an international financial centre. Financial services regulators such as the HKMA, the SFC and the IA have each issued guidelines on various fintech-related issues and have set up regulatory sandboxes to allow their regulated entities and technology firms to conduct trials of fintech initiatives. In addition, the Financial Services and the Treasury Bureau is proposing legislative amendments to introduce a licensing regime for virtual asset services providers. The HKMA has also announced that it will explore the feasibility of launching a digital currency “e-HKD”. It is expected that there will be further legal and regulatory developments to support the promotion of fintech in Hong Kong.

In general, Hong Kong adopts a laissez-faire approach and does not extensively regulate economic and commercial activities. In terms of technological development, instead of establishing a stand-alone regime to address the application of technology, the current approach is to fit innovative technological activities into the existing legal framework. The absence of a clearly defined regulatory framework create uncertainties and may discourage the exploration and adoption of new technologies and the development of the new economy in Hong Kong.

The legal system in Hong Kong tends to be technology-neutral, and does not regulate digital services as a separate domain, or restrict or prohibit digital services generally. There are no extensive regulations or licensing requirements governing digital services except where the activities come under the existing regulatory regime, for example, in the telecommunications or financial services industries. In particular, there is not a unified regulatory framework for fintech, and there are various regulators including the HKMA, the SFC, the IA and Hong Kong Police Force, each enforcing its own set of regulations on particular aspects of the fintech services. Data protection laws apply across sectors, but the Privacy Commissioner for Personal Data has limited sanctioning powers.

Nevertheless, the Hong Kong Government has introduced a wide range of initiatives to encourage use of technology. Moreover, plans to deepen cooperation and integration with other cities in the Guangdong-Hong Kong-Macao Greater Bay Area will likely result in advancements in innovation and technology and greater adoption of digital services.

As discussed above, there is no specific law in Hong Kong governing issues surrounding artificial intelligence. Legal issues will inevitably arise from the use of A.I. that the existing legal system cannot adequately address. The Hong Kong legal system does not recognize A.I. software as having separate legal personality, and so there are uncertainties in relation to attribution of liability, for example, with respect to the use of autonomous vehicles once they are approved to operate in Hong Kong. There are also difficulties in ascertaining intention, as well as how to deal with ethical and bias issues arising from use of A.I. Intellectual property rights for A.I.-created works will need to be clarified. Use of massive data sets for A.I. applications as well as profiling of individuals from machine learning using data extracted from different sources will present greater data privacy risks, and more robust data protection laws may need to be put in place.