Hong Kong - Data Protection Overview
1. Governing Texts
The Personal Data (Privacy) Ordinance (Cap. 486) ('PDPO') is the main legislation in Hong Kong which aims to protect the privacy of individuals in relation to personal data, and to regulate the collection, holding, processing, or use of personal data based on a set of data protection principles ('DPPs').
The PDPO came into force on 20 December 1996, and was significantly amended by the Personal Data (Privacy) (Amendment) Ordinance 2012 ('2012 Amendment Ordinance'). Most amendments took effect on 1 October 2012, primarily to introduce a new regime governing the use and provision of personal data in direct marketing. Further amendments to the PDPO were introduced in 2021, pursuant to the Personal Data (Privacy) (Amendment) Ordinance 2021 ('2021 Amendment Ordinance'), which took effect on 8 October 2021. The purpose of these amendments were, primarily, to address the acts of disclosing personal data without consent, i.e. 'doxxing'.
In January 2020, the Constitutional and Mainland Affairs Bureau ('CMAB') issued a discussion paper, which sets out proposed amendments to the PDPO that were under consideration by the Hong Kong Special Administrative Region Government. Possible amendments under contemplation included, among other things, the introduction of a mandatory data breach notification mechanism, increased fines, and sanctioning powers, and the introduction of direct regulations over data processors. However, these proposed amendments were not addressed in the 2021 Amendment Ordinance.
The Office of the Privacy Commissioner for Personal Data ('PCPD') is the authority which enforces the PDPO in Hong Kong. The PCPD has also issued various codes of practice (accessible here) that provide practical guidance in respect of the requirements under the PDPO. While the codes of practice are not legally binding, a breach of them by a data user will give rise to a presumption against the data user in any legal proceedings under the PDPO, unless there is evidence that the requirement of the PDPO was actually complied with in a different way (see Section 13 of the PDPO). The PCPD has also published various guidance notes (accessible here), which are referred to as good practice recommendations for protecting personal data in Hong Kong.
1.3. Case law
2. Scope of Application
The PDPO, guidelines, and codes of practice apply to the collection, holding, processing, or use of personal data by data users.
Under Section 2(1) of the PDPO, any information that:
- relates directly or indirectly to a living person;
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- exists in a form in which access or processing is practicable.
The PDPO will apply to the collection and processing of personal data irrespective of where in the world the collection or processing occurred provided that the personal data is controlled by a data user in Hong Kong.
Any information that is considered 'personal data' is protected under the PDPO. A data user, who either alone, jointly, or in common with persons, controls the collection, holding, processing, or use of personal data, will be subject to the requirements under the PDPO.
Data processors are not directly regulated. Unlike a data user, a data processor or processing, does not automatically fall within the ambit of the PDPO.
The PDPO provides a number of broad exemptions for personal data in Part 8, which is grouped according to reason the personal data is held. The categories include:
- specified public or judicial interests;
- domestic or recreational purposes; or
- employment purposes.
3.1. Main regulator for data protection
The PCPD is an independent statutory body established to oversee the enforcement of the PDPO. Its main duty, as stated on its website, is to 'ensure the protection of the privacy of individuals in relation to personal data through monitoring and supervising compliance with the Ordinance, enforcing its provisions and promoting the culture of protecting and respecting personal data.'
3.2. Main powers, duties and responsibilities
Under Section 38 of the PDPO, the PCPD has the power to investigate relevant data users when it receives a complaint, or has reasonable grounds to believe that an act or practice has contravened the relevant requirements under the PDPO. Under Section 36 of the PDPO, the PCPD is also vested with the power to inspect any personal data system used by a data user, for the purposes of ascertaining information to assist the PCPD in making recommendations for compliance with the PDPO. Generally, the PCPD has to inform the relevant data user in writing of its intention to carry out an inspection or investigation beforehand, unless there are reasonable grounds to believe that to do so may prejudice the purposes of the investigation (Section 41 of the PDPO). For the purposes of an investigation or inspection, the PCPD may enter into any premises with a warrant or prior written notice (See Section 42 of the PDPO).
If the investigation confirms that the data user has contravened a requirement under the PDPO, the PCPD may serve an enforcement notice on the data user concerned to direct it to take necessary steps to remedy the contravention, and/or instigate a prosecution action. Failure to comply with an enforcement notice, or with the requirements of the PCPD, constitutes a criminal offence (Sections 50A and 50B of the PDPO).
Furthermore, if the data subject has suffered damage as a result of a breach under the PDPO, the PCPD may grant legal assistance to him/her in instituting proceedings against the relevant data user to seek compensation (Section 66B of the PDPO). Prior to instituting an investigation, the PCPD will also try to resolve the matter less formally through conciliation or mediation.
The 2021 Amendment Ordinance further enhances the power of the PCPD to combat doxxing. In addition to creating new offences for the disclosure of personal data without consent (discussed in more detail below), the 2021 Amendment Ordinance authorises the PCPD to conduct criminal investigations and prosecute such offences (Section 64C and Divisions 1 to 3 under Part 9A of the PDPO), and to demand the cessation or restriction of doxxing content by persons both within and outside of Hong Kong (Divisions 4 and 5 under Part 9A of the PDPO). The PCPD has also been granted very broad powers to carry out doxxing-related investigations, which include:
- powers to request materials and assistance from any person upon written notice (Section 66D);
- the ability to apply for a warrant to enter and search premises and to seize evidence (Section 66G); and
- the ability to stop, search, and arrest any person reasonably suspected to have committed doxxing or doxxing-related offences without a warrant (Section 66H).
4. Key Definitions
Data controller: Under Section 2(1) of the PDPO, the term 'data user' approximates the notion of 'data controller' in relation to personal data, and means 'a person who, either alone or jointly or in common with persons, controls the collection, holding, processing or use of (personal) data.'
For a person to be a data user, not only must one of the processes, as enumerated above, occur, but the person must control that process. 'Control' is not defined in the PDPO, but the terms have been judicially considered in R v Griffin (The Times, on 5 March 1993, unreported), where the English High Court held that a self-employed accountant 'controlled' personal data that he received from clients, over which he had the power to manipulate according to his own professional judgement.
- processes personal data on behalf of another person; and
- does not process the data for any of the person's own purposes.
Section 2(12) of the PDPO also provides that a person who holds, processes, or uses personal data 'solely on behalf of another person' and not for one's 'own purposes' is not considered a data user for the purposes of the PDPO. Rather, such person is regarded as a data processor under the PDPO.
- relating directly or indirectly to a living individual;
- from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
- in a form in which access to or processing of the data is practicable.
For example, names, phone numbers, addresses, identity card numbers, photos, and medical as well as employment records are all viewed as 'personal data' and are thus protected by the PDPO.
Sensitive data: There is no definition of sensitive personal data under the PDPO. Unlike its counterpart in the EU (namely, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')), the PDPO does not provide more stringent requirements for categories of sensitive personal data, such as personal data revealing racial or ethnic origin, political opinions, religious beliefs, and health. The PCPD has, however, issued guidance in relation to the more stringent collection, use, retention, and deletion requirements of certain types of personal data, including identity card numbers, personal identifiers, consumer credit data, and biometric data (see, for example, Guidance on Collection and Use of Biometric Data (August 2020) ('the Biometric Data Guidance') and the Code of Practice on Consumer Credit Data (Revised in January 2013)).
Health data: This is not specifically defined in the PDPO. However, patients' health records are likely to be regarded as personal data and are hence protected under the PDPO. The PCPD has published an information leaflet titled the Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals) in February 2016, which provides practical guidance in relation to the handling of patients' health records.
Biometric data: This is not specifically defined in the PDPO. However, according to the Biometric Data Guidance, biometric data includes 'physiological data with which individuals are born' and 'behavioural data developed by an individual after birth'. For example, physiological data includes DNA samples, fingerprints, palm veins, hand geometry, iris, retina, and facial images. Behavioural data includes handwriting pattern, typing rhythm, gait, and voice pattern.
Pseudonymisation: There is no concept of pseudonymisation in the PDPO. However, the PCPD published a guidance note titled Guidance on Personal Data Erasure and Anonymisation (revised in April 2014), which provides that data that is anonymised, to the extent that the data user (or anyone else) will not be able to directly or indirectly identify the individuals concerned, will not be considered 'personal data' under the PDPO. Anonymising data is therefore an option for handling personal data that is no longer required for the purposes for which it was collected, besides total erasure.
Doxxing: The concept of doxxing is introduced in the 2021 Amendment Ordinance. While not a defined term in the PDPO, doxxing refers to the act of disclosing personal data of a data subject without his/her consent. Under Section 64 of the PDPO, a person who discloses any personal data obtained from a data user without the consent of a data user, with the intent of gaining money or other property or to cause loss to the relevant data subject, commits an offence. It is also an offence to disclose personal data without the data subject's consent, with the intent of causing a specified harm to the data subject or his/her family member or being reckless as to whether such harm would be caused. Specified harm in this context refers to harassment, bodily harm or psychological harm, causing a person reasonably to be concerned for their own safety or well-being, and damage to property.
5. Legal Bases
In general, personal data should only be collected if it is necessary for a lawful purpose directly related to the function or activity of a data user (see DPP 1). Data users are required to take all practical steps to ensure that, on or before the collection of personal data, the data subjects are informed of the purpose of collection, the classes of transferees of the data, as well as whether it is obligatory to provide the data, and if so, the consequences of failing to supply the data. On or before the first use of the data, data subjects must also be informed of their rights to access and to request the correction of their data, as well as the details of the individual to whom such requests may be directed.
If the data user intends to use the personal data collected for a new purpose other than that for which it is collected, the 'prescribed consent' of the data subject must be obtained (see DPP 3). 'Prescribed consent' refers to the express consent of the data subject which has been given voluntarily. If the data subject is a minor (i.e. under the age of 18), a person with parental responsibility may give the prescribed consent on the minor's behalf. Although there is no requirement for prescribed consent to be in writing, it is advisable to obtain written consent.
Furthermore, a data user must obtain the data subject's consent or indication of no objection before using his/her personal data for direct marketing purposes. If such consent is given orally, the data user must send a written confirmation to the data subject within 14 days to confirm such consent and the permitted use of personal data (see Sections 35A and 35E of the PDPO and the PCPD's New Guidance on Direct Marketing (2013)). Accordingly, a data subject is given the right to reject the use of their personal data for such purposes. The term 'direct marketing' is broadly defined to the offering or advertising of the availability of goods, facilities, or services; or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political, or other purposes (Section 35A of the PDPO). A data subject may also, at any time, request a data user to cease using his/her personal data in direct marketing, of which the data user must comply with such a request without charge.
Although it is not an express statutory basis to process personal data for a contract in Hong Kong. Under the DPP1 it is established that personal data shall not be collected unless the data is collected for a lawful purpose directly related to a function or activity of the data user, and the collection of the data is necessary for or directly related to that purpose. As such, having a contract with the data subject which specifies the purpose of such collection may demonstrate a lawful purpose for the collection and processing of personal data under DPP 1.
This is not an express statutory basis for the processing of personal data in Hong Kong. However, Section 60B of the PDPO provides that personal data is exempt from the application of DPP 3 (see section on consent above) if the use of the data is required or authorised by or under any enactment, by any rule of law, or by an order of a court in Hong Kong. Further to this the PDPO also contains an exemption from the application of DPP 3, where personal data required in connection with any legal proceedings in Hong Kong, or required for establishing, exercising, or defending legal rights in Hong Kong.
This is not an express statutory basis for the processing of personal data in Hong Kong. However, if the prescribed consent required for DPP 3 (see section on consent above) is given by a relevant person on behalf of a data subject, a data user must not use the personal data for a data subject for a new purpose unless the data user has reasonable grounds for believing that the use of the data for the new purpose is clearly in the interest of the data subject.
The PCPD recognises that while data privacy is an important right, it must be balanced against other important rights as well as the public interest. Accordingly, Part 8 of the PDPO provides for a number of exemptions to DPP 3 (see section on consent above), including in the following situations:
- personal data held for the purposes of safeguarding security, defence or international relations in respect of Hong Kong, if the application of DPP 3 would likely prejudice these matters;
- personal data held for the purposes of the prevention or detection of crime, and the apprehension, prosecution or detention of offenders, etc., if the application of DPP 3 would likely prejudice these matters;
- personal data relating to the physical or mental health of the data subject, if the application of DPP 3 would likely cause serious harm to the physical or mental health of any other individual; and
- where personal data is disclosed to a data user whose business, or part of whose business, consists of a news activity, such personal data is exempt from DPP 3 if the person making the disclosure has reasonable grounds to believe (or reasonably believes) that the publishing or broadcasting of the data is in the public interest.
Other exemptions: Apart from the above, the PDPO also contains the following key exemptions from the application of DPP 3 (see Section on consent above):
- personal data to be used solely for preparing statistics or carrying out research and the resulting statistics or results of research do not identify the data subjects;
- personal data transferred or disclosed by a data user for the purpose of a due diligence exercise to be conducted for a proposed business transactions involving:
- a transfer of business or property of, or any shares in, the data user;
- a change in the shareholding of the data user; or
- an amalgamation of the data user with another body, subject to certain conditions, including but not limited to that the personal data transferred or disclosed is not more than necessary for the purpose of conducting due diligence; and
- transfer of records to the Government Records Service for preservation purposes.
As set out in section on consent above, a data user must obtain the data subject's consent or indication of no objection before using his/her personal data for direct marketing purposes. Further, if the data user intends to provide a data subject's personal data to another person for the purposes of direct marketing, the data user must inform the data subject in writing, and may not provide the data unless it has received the data subject's written consent to the intended provision. The data user must also provide the following information to the data subject in writing:
- an indication that the data is to be provided for gain (if applicable);
- the kinds of personal data to be provided;
- the classes of persons to which the data is to be provided; and
- the classes of marketing subjects.
The data user must also provide the data subject with a channel through which the data subject may communicate his/her consent in writing (See Section 35J of the PDPO), such as a telephone hotline or a designated email account.
With respect to the processing of employee data, the general principles in the PDPO apply. The PCPD published a code of practice and explanatory documents regarding the processing of employee data, including the Code of Practice on Human Resource Management (Revised in April 2016), Compliance Guide for Employers and Human Resource Management Practitioners (Revised in April 2016), Human Resources Management: Some Common Questions (Revised in April 2016), and Privacy Guidelines: Monitoring and Personal Data Privacy at Work (Revised in April 2016).
The main obligations imposed on data users are set out in the six DPPs incorporated in Schedule 1 of the PDPO.
Collection of personal data
DPP 1 provides that the collection of personal data should be necessary, lawful, and fair, and the data collected must be adequate but not excessive in relation to the purpose/s for collection. It also sets out the information a data user must give to a data subject on or before the collection of data, including:
- the purpose for which the data is to be used;
- the recipients to whom the data may be transferred; and
- whether it is obligatory to supply the data and if so, the consequences of failing to do so.
Before the first use of the collected data, a data user must also take all practicable steps to explicitly inform the data subject of his/her rights of access and correction, as well as the name or job title, and address of the individual who is to handle any such request made from the data subject to the data user (which will be further discussed below).
Data quality and retention
DPP 2 provides that a data user must take all practicable steps to ensure that the personal data collected is accurate, and must not be kept longer than necessary to fulfil the purpose for which it is used.
Use of data
DPP 3 provides that personal data shall only be used for the original purpose/s for which it was collected, or for a directly related purpose. If a data user would like to change the use of data following collection, he/she is required to obtain the 'prescribed consent' of the data subject in advance (See section on consent above).
As noted above, 'prescribed consent' refers to consent that is expressly and voluntarily given and has not been withdrawn by the data subject in writing. When the data subject is a minor (i.e. under the age of 18), a person with parental responsibility in relation to the minor may give the prescribed consent on his/her behalf.
DPP 4 requires a data user to take all reasonably practicable steps to safeguard any personal data from unauthorised or accidental access, processing, erasure, loss, or use.
In ascertaining what constitutes 'practicable steps', a data user should have regard to:
- the kind of data and the harm that could result if any of the above acts should occur;
- the physical location where the data is stored;
- any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
- any measures taken for ensuring the integrity, prudence, and competence of persons having access to the data; and
- any measures taken for ensuring the secure transmission of the data.
7. Controller and Processor Obligations
Under the PDPO, there are no requirements to register with, or notify, the PCPD in respect of any usage or collection of personal data in Hong Kong.
Currently, there are no restrictions imposed on transfers of personal data out of Hong Kong under the PDPO. Section 33 of the PDPO prohibits the transfer of personal data to places outside Hong Kong except in specified circumstances, but this provision is not yet in operation. Data users are still, however, obliged to comply with other requirements under the PDPO and the DPPs, as mentioned above, when they transfer personal data overseas. Data users are also encouraged to follow the Guidance on Personal Data Protection in Cross-border Data Transfers, such as:
- to obtain the separate and voluntary written consent from the data subject in respect of the transfer; and
- to adopt the Recommended Model Clauses in the relevant data transfer agreements.
There is no obligation for data users or data processors to maintain data processing records.
There is no mandatory requirement to carry out a Privacy Impact Assessment ('PIA') in Hong Kong, but data users are encouraged to carry out a PIA in certain circumstances, e.g. when data users intend to collect biometric data.
There is no mandatory requirement under the PDPO to appoint a data protection officer ('DPO') in Hong Kong. DPP 1 only requires a data user to inform a data subject of the contact details of the person to whom their data access request and data correction request should be made.
The Privacy Management Programme
Following the footsteps of its counterparts in the EU, the PCPD has advocated since 2014 for organisational data users to implement a privacy management programme ('PMP'), so as to embrace personal data protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation.
In March 2019, the PCPD revised and published its Privacy Management Programme: A Best Practice Guide ('the PMP Guide'), which recommends organisations to form PMPs with three components, namely:
- organisational commitment;
- programme controls; and
- ongoing assessment and revision.
In particular, the PMP Guide encourages organisations to appoint a designated officer (i.e. a DPO) to oversee their compliance with the PDPO and implementation of the PMP. The DPO should be a senior executive of major corporations, or the owner/operator of smaller organisations. The main responsibilities of a DPO include:
- establishing and implementing the PMP programme controls, in particular keeping a record of the organisation's personal data inventory, initiating the commencement of periodic risk assessment to all departments, and coordinating and monitoring the handling of data breach incidents;
- reviewing the effectiveness of the PMP, such as preparing an oversight and review plan for the PMP, and revising the programme controls where necessary; and
- reporting to top management periodically on the organisation's compliance issues, problems encountered, and complaints received in relation to personal data privacy.
According to the Guidance on Data Breach Handling and the Giving of Breach Notifications (Revised 2019) published by the PCPD, a data breach is generally interpreted as a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised access, processing, erasure, loss, or use. A data breach might amount to a contravention of DPP 4, which requires data users to take all practicable steps to ensure the security of personal data it holds.
It is not a statutory requirement for data users to inform the PCPD, the affected data subjects, or the relevant parties about data breaches. However, it is recommended good practice for data users to notify the incident to PCPD via a Data Breach Notification Form and any affected individuals as soon as possible, so as to ensure immediate remedial measures can be implemented to mitigate any possible harm.
Pursuant to DPP 2, data users are obliged to ensure that the personal data is not retained for longer than necessary for the purposes (including any directly related purpose) for which the data is to be used.
Further, where the personal data held or collected is no longer required for the purpose or any directly-related purpose, the data user is required to take all practicable steps to erase such personal data under their possession (See Section 26 of the PDPO).
Where the data subject is a minor (i.e. under the age of 18), any prescribed consent required for using personal data for a new purpose can be given on his or her behalf by an individual who has parental responsibility for the minor (see DPP 3 and Section 2(1) of the PDPO). Such individuals may also make a data access request or a data correction request on behalf of a minor.
The collection of any data amounting to personal data must comply with the requirements in the PDPO. The PDPO has not designated special categories of personal data in relation to which specific provisions apply. However, as set out above, the PCPD has published codes of practice, guidance notes, and other documents to provide guidance on the processing of certain categories of personal data, e.g. biometric data.
Under Section 65(2) of the PDPO, a data user is liable as principal for the wrongful acts of its authorised data processor. Furthermore, DPPs 2(3) and 4(2) provide that when a data user engages a data processor, whether within or outside Hong Kong, to process personal data on the data user's behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than is necessary for the processing of the data, and to protect such data from unauthorised or accidental access, processing, erasure, loss, or use. However, neither DPPs 2(3) nor 4(2) provide further explanation on the specific terms that have to be incorporated into a compliant data processing contract. Therefore, the data user should determine what contractual obligations it should impose upon the data processor, having regard to the sensitivity of the personal data, the data processor's business nature, and the privacy risks associated with it.
For example, Stephen Kai-yi Wong and Guobin Zhu, in paragraph 8.38 of the Personal Data (Privacy) Law in Hong Kong: A Practical Guide on Compliance (2016) state that the contract should:
- specify the security measures required to be taken by the data processor to protect the personal data;
- prohibit use or disclosure of the personal data for other purposes; and
- restrict further sub-contracting of the service.
In addition, in September 2012, the PCPD also recommended in its Outsourcing the Processing of Personal Data to Data Processors information leaflet that certain non-exhaustive obligations be imposed on data processors by contract, such as:
- the timely return, destruction, or deletion of personal data when such data is no longer required for the purpose for which it is entrusted by the data user to the data processor;
- the immediate reporting of any sign of abnormalities (e.g. audit trail shows unusual frequent access of the personal data entrusted to the data processor by a staff member at odd hours) or security breaches by the data processor;
- measures required to be taken by the data processor to ensure its relevant staff will carry out the security measures and comply with the contractual obligations regarding the handling of personal data;
- the data user's right to audit and inspect how the data processor handles and stores personal data; and
- the consequences for the data processor's violation of contract.
Despite the above, a data user would remain ultimately accountable for the acts done and practices engaged in by the data processor who acts as its agent and with its express or implied authority.
8. Data Subject Rights
Pursuant to DPP 1, a data user must take all practicable steps to ensure that the data subject is explicitly or implicitly informed, on or before the collection of his/her personal data, of whether it is obligatory or voluntary for him/her to supply the data, and the consequences for failing to provide personal data where such provision is obligatory. All practicable steps must also be taken to ensure that the data subject is explicitly informed, on or before the collection of his/her personal data, of the purpose of collection and the classes of potential transferees. On or before the first use of the personal data, all practicable steps must be taken to inform the data subject of his/her right to request access to and correction of his/her personal data, and the name or job title and the address of the individual who is to handle such requests.
DPP 5 requires a data user to take all practicable steps to disclose information regarding the kind of personal data held by him/her, the main purposes for holding such data, and the policies and practices on how he/she handles personal data.
Pursuant to DPP 6 and Section 18(1) of the PDPO, a data subject is entitled to lodge a formal data access request ('DAR'), so as:
- to be informed by a data user whether the data user holds personal data of which the individual is the data subject; and
- to be supplied with a copy of any such data.
Upon receiving a DAR, the data user must supply the data subject with a copy of the requested data within 40 days after receiving such a request (Section 19(1) of the PDPO). If the data user is unable to comply with the DAR, they are obliged to give written notice and reasons for refusal to the data subject within the time period (see Section 19(2) of the PDPO). The failure to comply with a DAR constitutes an offence under the PDPO.
During the process, a data user may impose a fee for compliance with a DAR, but it should not be excessive. The copy of the requested personal data should also, as far as practicable, be intelligible, readily comprehensible, in an appropriate language, and in a form as specified in the request (Sections 19 and 28 of the PDPO).
If the data subject subsequently detects any inaccuracy in relation to their personal data, they may make a data correction request ('DCR') to the data user (Section 22(1) of the PDPO). The DCR must be preceded by a DAR. If a data user discovers that the data being requested for correction is inaccurate, then the data user must comply with the DCR without requiring a fee (Section 28(1) of the PDPO). A data user must comply with a DCR within 40 days of receiving such a request, with a copy of the corrected data supplied to the requestor (Section 23(1) of the PDPO).
The PDPO does not explicitly provide for the right to erasure, but under DPP 2, all data users must take all practicable steps to ensure personal data is not kept longer than is necessary to fulfil the purpose for which it is collected.
There is no express right for a data subject to object to the processing of his/her personal data under the PDPO once the data has been provided. However, a data subject may request that a data user cease to use the data subject's data for direct marketing purposes.
Non-compliance with the DPPs itself does not constitute a criminal offence. However, as mentioned above, the PCPD may serve an enforcement notice upon the data user after it has completed its investigation. A failure to comply with such notice by the data user is an offence and can result in a maximum fine of HKD 50,000 (approx. €5,600) and imprisonment for two years on a first conviction, or HKD 100,000 (approx. €11,300) and imprisonment for subsequent convictions (Section 50A of the PDPO).
Further, a data user who uses a data subject's personal data in direct marketing without the latter's consent, or fails to provide relevant information such as the kinds of personal data to be used commits an offence, which is punishable by a fine of HKD 500,000 (approx. €56,500) and imprisonment for three years (Section 35C of the PDPO). A data user that provides personal data to a third party for gain and for the purposes of direct marketing will also be liable to a fine of HKD 1 million (approx. €112,900) and to imprisonment for five years.
Further, a person who discloses personal data without the data subject's consent, with intent to or recklessly causing a specified harm to the data subject or his/her family member, is liable on summary conviction to a fine of HKD 100,000 (approx. €11,300) and to imprisonment for two years. Further, where a specified harm is caused to the data subject or his/her family member, the responsible individual is liable on conviction on indictment to a fine of HKD 1 million (approx. €112,900) and to imprisonment for five years (Sections 64(3B) and 64(3D)).
An individual who suffers damage as a result of a contravention of the PDPO in relation to his/her personal data may seek compensation from the data user concerned, including damages for injury to feelings (Section 66 of the PDPO).
The PCPD does not systematically publish decisions or reports of its investigations. However, since the introduction of the direct marketing provisions in the PDPO, this area has been a priority of the PCPD's enforcement. As reported in the latest annual report of the PCPD, covering the reporting year 2020/2021, direct marketing contraventions account for one third of all conviction cases published. The rest of the cases concern doxxing, which reflects the growing focus of the PDPC on combatting such acts.
Data breaches and data security are also increasingly an area of enforcement focus. In October 2018, Cathay Pacific Airways Limited lodged a data breach notification in relation to its discovery of the unauthorised access to personal data of approximately 9.4 million of its passengers. The PCPD completed its investigation and published an investigation report on 6 June 2019. The PCPD found contraventions of DPP 2 for Cathay's failure to take all reasonable practicable steps to ensure that the Hong Kong Identity Card numbers of its passengers were kept no longer than necessary for the fulfilment of the defunct verification purpose. The PCPD also found that Cathay contravened DPP 4, as it did not take all reasonably practicable steps to protect its passengers' personal data. The PCPD served an enforcement notice on Cathay directing it to take remedial actions, including to engage an independent data security expert to overhaul its systems containing personal data and to devise a clear data retention policy to specify the retention period(s) of passengers' data.