The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing). More recently, the Personal Data (Privacy) (Amendment) Ordinance (“Amendment Ordinance”) came into force in October 2021 and introduced new offenses of doxxing and corresponding penalties.
Currently, there is no requirement for organizations that control the collection and use of personal data (known as “data users”) to register with the data protection authority. However, under the Ordinance, the PCPD has the power to specify certain classes of data users to whom registration and reporting obligations apply.
There is no legal requirement for data users to appoint a data protection officer in Hong Kong.
A “data user” (which is akin to a “data controller” under GDPR) may collect personal data from a data subject if:
- The personal data is collected for a lawful purpose directly related to a function or activity of the data user;
- The collection is necessary for or directly related to that purpose;
- The data to be collected is adequate but not excessive; and
- All practical steps have been taken to ensure that the data subject has been informed, on or before collection of the data, of the following:
- Whether the supply of personal data by the data subject is obligatory or voluntary and, if obligatory, the consequences of not supplying the data;
- The purposes for which the data will be used;
- The persons to whom the data may be transferred;
- The data subject’s right to request for access to and correction of their personal data; and
- The name or job title, and address, of the individual to whom requests for access or correction, should be sent.
Data users may only collect, use and transfer personal data for purposes notified to the data subject on collection (see above) unless a limited exemption set out in the Ordinance applies. Any usage or transfer of personal data for new purposes requires the prescribed consent of the data subject.
Personal data is defined in the Ordinance as any data, including:
Relating directly or indirectly to a living individual;
From which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
In a form in which access to or processing of the data is practicable.
The data subject’s right to request for access to and correction of their personal data; and
The name or job title, and address, of the individual to whom requests for access or correction, should be sent.
There is no separate concept of sensitive personal data in the Ordinance. However, non–binding guidance issued by the Office of the Privacy Commissioner for Personal Data (PCPD) (in the context of biometric data) has indicated that higher standards should be applied as a matter of best practice to more sensitive personal data.
Data users may not transfer personal data to third parties (including affiliates) unless the data subject has been informed of the following on or before their personal data was collected:
That their personal data may be transferred. The classes of persons to whom the data may be transferred. There are currently no restrictions on the transfer of personal data outside of Hong Kong, as are the cross–border transfer restrictions.
There is no statutory definition of a data breach under the Ordinance. However, under the non–binding guidance issued by the PCPD, the data breach is defined as a “suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss or use.”
Currently there is no mandatory requirement under the Ordinance for data users to notify authorities or data subjects about data breaches in Hong Kong.
Direct marketing, Data users may only collect, use and transfer personal data for purposes notified to the data subject on collection (see above), unless a limited exemption set out in the Ordinance applies. Any usage or transfer of personal data for new purposes requires the prescribed consent of the data subject.
Failure to abide by the enforcement notice is a criminal offense, punishable by a fine of up to HK$ 50,000 and imprisonment for up to two years, as well as a daily penalty of HK$ 1,000 if the offense continues after conviction. In the case of subsequent convictions, additional and more severe penalties apply. There are also certain specific offenses under the Ordinance that are triggered directly without the intermediary step of an enforcement notice. For example:
- Breach of certain provisions relating to direct marketing is punishable by a fine of up to HK$ 1 million and imprisonment of up to five years, depending on the nature of the breach; and
- Disclosing the personal data of a data subject obtained from a data user without the data user’s consent is an offense punishable by a fine of up to HK$ 1 million and imprisonment of up to five years, where such disclosure is made with a certain intent, or where the disclosure causes psychological harm to the data subject.
Appeals from enforcement decisions of the PCPD may be made to the Administrative Appeals Board.
Under the Amendment Ordinance, it is an offense to disclose, without the data subject’s consent, any personal data with an intent to cause harm to the data subject or any family member of the data subject.
Depending on the severity of the offense, any person who commits the offense is punishable on conviction with:
A fine at level 6 (i.e. HK$ 100,000) and to imprisonment for two years; or
A fine of HK$ 1,000,000 and to imprisonment for five years if the disclosure causes harm to the data subject or any family member of the data subject. at about Doxing?
As the anti–doxxing provisions have extra–territorial effect, the PCPD is now empowered to serve cessation notices to operators of electronic platforms, including websites and online applications (regardless of whether these operators are based in Hong Kong or outside Hong Kong) where personal data has been disclosed without the individual’s consent. The cessation notices will require the recipient of the notice to take steps to remove the doxxing content or restrict the disclosure of personal data which has been made.
Failure to comply with the cessation notice is an offense. Persons contravening the offense will be liable, on the first conviction, to a fine at level 5 (i.e. at HK$ 50,000) and to imprisonment for two years.
Since the Amendment Ordinance came into force, the PCPD has reportedly made 13 arrests for suspected doxxing offense, among which four have been charged and two convicted. In the first-ever convicted case, the court sentenced the defendant to 8 months’ imprisonment.