What you need to know about personal data privacy in Hong Kong

03Jun2020

Introduction

Personal data protection is a flash point for controversy, and an increasing area of regulation and compliance. Here is what you need to know about personal data protection in Hong Kong.

Q:   Are privacy and data protection recognised by the Basic Law?

The Basic Law is the key constitutional document of Hong Kong. The right to privacy is recognised in Article 30 of the Basic Law, and in Section 8, Article 14 of the Hong Kong Bill of Rights Ordinance.

Q:   Is there primary legislation on personal data protection?

The primary legislation on privacy and data protection is the Personal Data (Privacy) Ordinance, Cap 486 (the “Ordinance”).

The Ordinance sets out six Data Protection Principles (“DPP”):

  1. DPP1 – Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his personal data.
     
  2. DPP2 – Personal data must be accurate and up-to-date, and kept no longer than necessary.
     
  3. DPP3 – Personal data should only be used for the purposes for which they were collected or a directly related purpose. Otherwise, the data user must obtain the “prescribed consent” of the data subject.
     
  4. DPP4 – The data user must have measures in place for the confidentiality and security of personal data.
     
  5. DPP5 – Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.
     
  6. DPP6 – Data subjects must be given a right of access to their personal data, and to correct them.

Q:   How is personal data protection regulated?

The main piece of legislation is the Ordinance. In addition, the Privacy Commissioner has issued various codes of conduct. Examples include the Code of Practice on the Identity Card Number and Other Personal Identifiers and Code of Practice on Human Resource Management. If data users breach the Codes of Practice, the Ordinance provides that there is a rebuttable presumption in any legal proceedings that the data user has breached the Ordinance. This means that the data user would have to produce evidence of compliance with data privacy laws, notwithstanding the breach of the Code of Practice.

In addition, the Privacy Commissioner has published guidelines and information leaflets on various issues. These are non-binding. 

Q:   Is there a national data protection authority?

The Office of the Privacy Commissioner is an independent statutory body set up to oversee the enforcement of the Ordinance.

Q:   What are the definitions in Hong Kong for key terms relating to personal data?

Here are some key concepts in personal data law and regulation in Hong Kong:

Personal Data: Any data relating directly or indirectly to a living individual, from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.

Processing: Processing is defined to include amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.

Data User:  Data user is the equivalent term in the Ordinance for the term “data controller” in other jurisdictions. A Data User is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.

Data Subject: In relation to personal data, means the individual who is the subject of the data.

Q:   Before personal data is collected and used, is it required to provide notice to the data subject?

Yes. Before collecting personal data, all practicable steps must be taken to ensure that the data subject is informed of: whether the supply of the data is voluntary or obligatory, the purposes for which the data are to be used, and the classes of persons to whom the data may be transferred.

Before first use of personal data, the data subject must also be informed of his right to request access to, and to correct, the data, as well as the name or job title, and address, of the individual who is to handle any such request.

Q:   Is there a general restriction on what personal data can be collected and used?

Yes. Personal data can only be collected if it is collected for a lawful purpose directly related to a function or activity of the data user, and that the collection is necessary for or directly related to that purpose. Also, the personal data collected by the data user must not be excessive in relation to that purpose. 

In relation to usage, personal data must not be used for a new purpose without the voluntary express consent of the data subject. “New purpose” means any purpose other than the purpose (or a directly related purpose) for which the data was to be used at the time of collection.

Q:   Are there exemptions to the use restrictions of personal data?

Some examples of relevant exemptions are:

  1. Domestic purposes: Personal data held by an individual and concerned only with the management of his personal, family or household affairs; or is held only for recreational purposes.
     
  2. Emergency situations: Personal data is exempted if those restrictions would prejudice identifying an individual who is involved in a life-threatening situation, or carrying out emergency rescue operations.
     
  3. Health: Personal data relating to the physical or mental health, or identity or location, of the data subject is exempt if those restrictions would be likely to cause serious harm to the physical or mental health of the data subject or any other individual.
     
  4. News: Use of personal data is exempted from the restrictions if the use of the data consists of disclosing the data to a data user whose business is news activity; and that such disclosure is made by a person who has reasonable grounds to believe that the publishing or broadcasting the data is in the public interest.
     
  5. Statistics and research: Personal data is exempt from use restrictions if the data is to be used for preparing statistics or carrying out research and not any other purpose, and the resulting statistics or results of the research are not made available in a form which identifies the data subjects or any of them.
     
  6. Legal proceedings: Use of personal data is exempted from the restrictions if the use of the data is required by any rule of law or by an order of a court in Hong Kong, required in connection with any legal proceedings in Hong Kong, or required for establishing, exercising or defending legal rights in Hong Kong.
     
  7. Due diligence: Subject to some conditions, personal data transferred or disclosed for the purpose of a due diligence exercise to be conducted in connection with a proposed business transaction, such as transfer of business or shares, is exempt from use restrictions.  

Q:   How are sensitive personal data and anonymized personal data interpreted in Hong Kong?

Sensitive Personal Data:  Sensitive Personal Data is not separately defined in the Ordinance. The Privacy Commissioner for Personal Data (“Privacy Commissioner”) has issued various publications setting out specific requirements in respect of more sensitive types of personal data. These include identity card number and personal identifiers, consumer credit data, biometric data, and children’s data.

Anonymised Personal Data: Anonymised or pseudonymised personal data is not defined in the Ordinance. The Privacy Commissioner has stated that if the personal data held is anonymised to the extent that the data user (or anyone else) will not be able to directly or indirectly identify the individuals concerned, the data is not considered to be personal data under the Ordinance.

Q:   Are specific kinds of data covered by enhanced legal protection (e.g. child data)?

There are no specific categories of personal data expressly reserved for stronger protection in the Ordinance. According to the principles of proportionality and fairness implicit the DPPs, data users are required to process the personal data having regard to which categories they belong to.

For instance, a data user may not require an individual to provide his Hong Kong identity card (“HKID Card”) number unless authorized by law. The individual should be given the option to choose an alternative in lieu of providing his HKID Card number.

Biometric data should only be collected where it is necessary and with the consent of the data subject. If a data user holds biometric data, it must guard against compromise or theft of the biometric database, and implement effective security measures

In respect of children’s data, it is recommended by the Privacy Commissioner that warning messages may be adopted in the online form to alert children of the minimum amount of information to supply, and that young children be reminded to consult parents or teachers when providing their personal data online.

Q:   Are privacy-by-design and privacy-by-default mandatory?

Privacy-by-design and privacy-by-default are not mandatory. However, these are recommended best practices by the Privacy Commissioner to enhance compliance with statutory data protection principles. Privacy by design and privacy by default are inherent in the principles of proportionality, transparency and fairness reflected in a number of statutory data protection principles.

Q:   Must data protection officers (DPOs) be appointed by law?

There is no statutory requirement to appoint a data protection officer. The Ordinance does require a data user to inform a data subject of his rights to request access, and correct his personal data and the name (or job title) and address of the person to whom such requests should be made. In practice, the person identified for this purpose in a personal information collection statement is usually described as a data protection officer. This is a matter of convention, not a requirement of law. The title does not carry the same obligations or duty as a DPO under GDPR.

In practice, the person identified for this purpose in a personal information collection statement is usually described as a data protection officer. This is a matter of convention, not a requirement of law. The title does not carry the same obligations or duty as a DPO under GDPR.

The Privacy Commissioner has advocated that organisations should develop their own privacy management programme (PMP), and that organisations should appoint a designated person as DPO to oversee the organisations’ compliance with the Ordinance and implementation of PMP. For a major corporation, the DPO should be a senior executive, whereas for a very small organisation, this should be the owner/operator.

The Privacy Commissioner recommends that DPO’s main responsibilities to include:

  1. keeping a record of the organisation’s personal data inventory;
     
  2. initiating and monitoring the annual personal data inventory review exercise;
     
  3. overseeing periodic risk assessment by all departments and reviewing the completed risk assessment report;
     
  4. conducting and reviewing privacy impact assessments;
     
  5. carrying out training and education and promoting staff awareness on privacy protection;
     
  6. coordinating and monitoring the handling of data breach incidents; and
     
  7. providing advice to departments on conducting investigations into data breach indidents.

Q:   Are data protection impact assessments (DPIAs) mandatory?

DPIAs are not mandatory. However, the Privacy Commissioner had made clear that DPIAs are recommended best practice, as they are the best means of adhering to the principles of proportionality, transparency and fairness enshrined in statutory data protection principles. The Privacy Commissioner published an information leaflet setting out information on the process for DPIAs and its general application to data users.

Q:   Is there any obligation to register databases?

No, there is currently no legal requirement to register databases in respect of collection or use of personal data.

A Data User Return Scheme is contemplated under the Ordinance but is not yet in force. Once in force, it will require a specified class of data users to submit data user returns containing prescribed information. The prescribed information will include the kinds of personal data collected, and the purposes for which the personal data are collected, held, processed or used. The Privacy Commissioner will use the returns to maintain a register of data users, which will be available to the public for inspection.

Q:   Are concepts such as controller and data processor defined in Hong Kong law?

Data user is the equivalent concept to a data controller. Data user and processing are clearly defined in the Ordinance.

Data processor means a person who processes personal data on behalf of another person, and

does not process the data for any of the person’s own purposes.

Q:   Does the data user have any obligations if he discloses personal data to a data processor?

If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data, and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.

Q:   Are there any restrictions imposed on the third party data processor in respect of data use?

Yes. The third party processors may be subject to criminal liability if he:

  1. discloses any personal data of a data subject which was obtained from the data user without the data user’s consent, with an intent to obtain gain in money or other property, whether for the benefit of the person or another person, or to cause loss in money or other property to the data subject; or
     
  2. discloses any personal data of a data subject which was obtained from the data user without the data user’s consent, and that disclosure causes psychological harm to the data subject.

Q:   What is a “matching procedure”?

“Matching procedure” means any procedure whereby personal data is collected for one or more purposes where: 

  1. there is a comparison of two sets of personal data, each of which is collected for different purposes, e.g. one set of personal data collected for purposes A and B and a second set collected for purposes X and Y;
     
  2. each comparison involves the personal data of 10 or more data subjects;
     
  3. the comparison is not carried out by manual means, e.g. it is carried out by using a computer program designed and applied for performing the comparison process; and
     
  4. the end result of the comparison may be used for the purpose of taking adverse action against any of the data subjects concerned.

Q:   Are there any restrictions on matching procedures?

A matching procedure may not be carried out unless one of the following conditions has been met:

  1. all the individuals who are the subjects of the data to be matched have given express voluntary express consent to the matching procedure;
     
  2. the Privacy Commissioner has given consent;
     
  3. the matching procedure belongs to a class of matching procedures which the Privacy Commissioner has specified by notice in the Government Gazette as a class of such procedures that may be carried out; or
     
  4. the matching procedure is required or permitted by a provision of a statute in Hong Kong.

Q:   Is it possible to use personal data for direct marketing purposes and if so, to what extent?

It is possible to use personal data for direct marketing purposes.

A data user engaging in direct marketing must first obtain the data subject’s consent. The consent of a data subject must be the explicit agreement by the data subject to indicate that he does not object to the use or provision of his personal data for use in direct marketing. If a data subject has orally consented to a data user using the personal data for direct marketing, the data user must within 14 days confirm:

  1. the date of receipt of consent;
     
  2. the permitted kind of personal data; and
     
  3. the permitted class of marketing subjects.

A data subject may request that a data user ceases to use his personal data for direct marketing without charge (also known as the opt-out request).

It is a criminal offence, punishable by fine and imprisonment, to use personal data for direct marketing without the consent of the data subjects. It is a separate offence for data users to provide a third party with personal data for the purposes of direct marketing in return for payment and without the data subject’s consent.

Q:   In the context of direct marketing, are there any specific requirements of the notice provided to the data subject?

Yes. Normal practice is that the data subject is provided a written notice.  The notice must allow the data subject to separately expressly indicate that he does not object to the use or provision of his personal data to the data user for use in direct marketing. The notice must be easily understandable, clear, concise and easily readable.

If personal data is to be used for direct marketing, the notice must include:

  1. a statement that the data user intends to use the personal data of the data subject for direct marketing;
     
  2. a statement that the data user will not use the personal data unless it has received the data subject’s consent to the intended use;
     
  3. a description of the kinds of personal data to be used;
     
  4. a description of the classes of marketing subjects in relation to which the data is to be used; and
     
  5. details of a response channel through which the data subject may, without charge, communicate the data subject’s consent to the intended use.

If personal data is to be transferred to another third party for use in direct marketing, the notice must include:

  1. a statement that the data user intends to provide the personal data of the data subject to another person for use by that person in direct marketing;
     
  2. a statement that the data user may not transfer the data unless it has received the data subject’s consent to the intended use;
     
  3. a statement on whether the personal data is being transferred for gain or a fee;
     
  4. a description of the kinds of personal data to be provided;
     
  5. a description of the classes of persons to which the data is to be provided;
     
  6. a description of the classes of marketing subjects in relation to which the data is to be used; and
     
  7. details of a response channel through which the data subject may, without charge, communicate the data subject’s consent to the intended transfer.

Q:   Is transfer of data outside the Hong Kong jurisdiction regulated?

Not at present. There are restrictions on transfer of personal data to overseas jurisdictions in section 33 of the Ordinance, but these have not come into effect.

As principles of proportionality, fairness and transparency are implicit in the DPPs, the Privacy Commissioner has issued a Guidance Note setting out recommended best practices the transfer of personal data out of Hong Kong. The recommendations include:

  1. The data user should have effective data transfer arrangements to identify any cross-border transfer of personal data;
     
  2. The data user should control activities that involve unintended or unnecessary cross-border data flow; and
     
  3. The data user should keep an inventory of personal data transferred outside Hong Kong.

Q:   Can individuals access their data and request their correction or deletion?

Data access: Data subjects are entitled to request access to personal data. The data users must provide copies of the personal data requested within 40 days of the request. The data users can only charge the data subjects for a non-excessive amount of fee. The Privacy Commissioner has specified a prescribed form in which such a request has to be made.

Data deletion: Data subjects do not have the right to require data users to delete their personal data. Data users are required under DPP2 to take all practicable steps to erase personal data held by them where the data are no longer required for their prescribed purpose, unless erasure is prohibited under any law or it is in the public interest for the data not to be erased.

Data correction: Data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. If the data subject considers that the personal data held by the data user is inaccurate, he may make a request that the data user corrects the data. If the data user is satisfied that the data is inaccurate, no later than 40 days after receiving the request, the data user must make the necessary correction to the data. However, the data user may refuse a personal data correction request in certain circumstances such as when the data user is not supplied with information it reasonably requires to ascertain how the personal data is inaccurate, or that the data user is not satisfied that proposed correction is accurate.

Q:   Are there obligations to adopt reasonable technical, physical and organisational measures to protect the security of personal information?

Data users are required to comply with DPP4 by taking all practical steps to protect the personal data they hold against unauthorised and accidental access, processing, erasure, loss or use. Data users must have particular regard to:

  1. the nature of the data;
     
  2. the potential harm if those events happen; and
     
  3. measures to ensure the integrity, prudence and competence of persons having access to the data.

The Privacy Commissioner has issued a best practice guide to advocate the development of a privacy management program, which encourages data users to appoint or designate a responsible person to oversee data user’s compliance with the Ordinance.

Q:   Are there data breach notification requirements?

There is no data breach notification requirement in Hong Kong. However, the Privacy Commissioner issued a Guidance Note in June 2010 encouraging data users to notify the following parties in response to a data breach:

  1. the affected data subjects;
     
  2. the Privacy Commissioner;
     
  3. relevant law enforcement agencies and regulators; and
     
  4. relevant parties who may be able to take remedial actions to protect the personal data privacy and interests of the data subjects affected.

Notification should be made as soon as practicable after detection of the data breach, except where law enforcement agencies have, for investigative purpose, made a request for a delay.

Q:   What should be included in data breach notifications?

The notice should include:

  1. a general description of what occurred;
     
  2. the date and time of the breach, and its duration, if applicable;
     
  3. the date and time the breach was discovered;
     
  4. the source of the breach;
     
  5. a list of the types of personal data involved;
     
  6. an assessment of the risk of harm (such as identity theft or fraud) as a result of the breach;
     
  7. a description of the measures already taken or to be taken to prevent further loss, unauthorised access to or leakage of the personal data;
     
  8. the contact information of a department or an individual designated by the data user within the organisation for affected data subjects to obtain more information and assistance;
     
  9. information and advice on actions the data subjects can take to protect themselves from the adverse effects of the breach and against identity theft or fraud; and
     
  10. whether law enforcement agencies, the Privacy Commissioner and such other parties have been notified.

Q:   How can individuals exercise their privacy rights?

Individuals can exercise their privacy rights by:

  1. lodging a complaint to the Privacy Commissioner;
     
  2. bringing a court proceeding in Hong Kong to seek compensation for damages; and
     
  3. reporting criminal offences to the Hong Kong Police Force where appropriate.

Q:   Which judicial authorities are competent on privacy and data protection related matters?

The courts of the Hong Kong Special Administrative Region have jurisdiction to deal with privacy and data protection related matters.

Q:   What are the main enforcement measures?

Investigation: The Privacy Commissioner can investigate complaints regarding breaches of the Ordinance, conduct formal investigations, and issue an enforcement notice. However, the Privacy Commissioner has no power to impose fines.

Fines and imprisonment: It is an offence if the enforcement notice is breached. The Privacy Commissioner can institute civil or criminal proceedings against data users in breach of an enforcement notice by referring criminal offences under the Ordinance to the Hong Kong Police Force. They may then be prosecuted through the Hong Kong court system. There are also separate criminal offences under the Ordinance punishable by fines and imprisonment.

Compensation: Data subjects have a right to bring proceedings in court to seek compensation for damage, including damages for injury to feelings.

Q:   Is there a supra-national legal framework that applies in Hong Kong?

No.

Q:   Does any foreign authority have jurisdiction on privacy and data protection matters for citizens of Hong Kong?

No.

Q:   Can authorities access large amounts of data or specific data without a court order?

There are exemptions specified in the Ordinance in which data users can disregard the provisions under the Ordinance.

Data users may disclose personal data to law enforcement agencies, such as the Hong Kong Police Force, if the use of personal data by the law enforcement agencies is for the prevention or detection of crime, or the apprehension, prosecution or detention of offenders.

However, simply because a law enforcement agency requests personal data does not mean that data users can provide the data requested without complying with DPP3. Data users must consider whether non-provision of the data would be so serious as to be likely to prejudice the purposes for which it is collected. The view taken by the Privacy Commissioner is that it is prudent for the data users to make enquiries with the law enforcement agency on the purpose for which the personal data is collected, the reasons why the personal data concerned is relevant, and the reasons why the data subject’s consent should not be obtained by the enforcement agency.

Q:   Is the EU General Data Protection Regulation (“GDPR”) relevant to Hong Kong businesses?

GDPR has no direct application in Hong Kong as it primarily affects businesses operating within the EU.

However, Hong Kong businesses that operate outside the EU may have to comply with GDPR if:

  1. they offer goods or services to data subjects in the EU; or
     
  2. they monitor the behaviour of data subjects in the EU (meaning tracking people on the internet).

GDPR imposes higher standards than Hong Kong personal data protection laws in some respects. So if GDPR applies in respect of a Hong Kong business, then it will have to comply with those higher standards. Breach of the GDPR would lead to fines.

To enquire further about data privacy, please reach out to Tanner De Witt Solicitors:

Pádraig Walsh
Partner | E-mail

Edmond Leung
Partner | E-mail

Jeff Lane
Partner | E-mail

Nigel Stamp
Foreign Legal Consultant | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.