-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
Data protection and privacy
Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO)
The key personal data protection framework in Hong Kong is in the PDPO. The PDPO focusses on six Data Protection Principles (the DPPs), restricts direct marketing without consent, and establishes the Office of the Privacy Commissioner for Personal Data (the PCPD) as the national supervisory authority.
All “data users” are required to comply with the six DPPs, summarised as follows:
- DPP1 – Purpose and manner of collection: personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user, should be necessary and adequate but not excessive for that purpose, the method of collection should be lawful and fair, and certain information must be provided to data subjects about the collection.
- DPP2 – Accuracy and retention: data users must take all practicable steps to ensure personal data should be accurate, up-to-date and kept no longer than necessary, and data users must require data processors to comply with the retention requirement.
- DPP3 – Use of data: personal data should only be used for the purposes for which they were collected or a directly related purpose, unless the data subject’s informed consent has been obtained. A data subject can withdraw his/her prior consent by written notice to the data user.
- DPP4 – Data security: data users must take “all practicable steps” to ensure that personal data held by data users are protected against unauthorised or accidental access, processing, erasure, loss or use, having regard to the nature of the data and potential harm to the data subject, and data users must require data processors to comply with the data security requirement.
- DPP5 – Openness and transparency: data users must take all practicable steps to ensure openness of their personal data policies and practices, including providing general information about the kinds of personal data they hold and the main purposes for which personal data are used.
- DPP6 – Access and correction: data subjects have rights of access to and correction of their personal data (supplemented by Part 5 of the PDPO, covering data access requests and data correction requests).
Contravention of any of the DPPs is not currently a direct offence of itself, although the PCPD can investigate and issue a public enforcement notice, breach of which is an offence. Contravention of certain specific provisions of the PDPO is also an offence, including not erasing personal data that is no longer required for the purpose for which it is used, and disclosure of personal data obtained from a data user without the data user’s consent.
The maximum penalty for an offence under the PDPO is a fine of HK$1 million and imprisonment for 5 years (depending on the provision breached).
The PCPD is the designated personal data privacy regulator and an individual can complain to the PCPD if they suspect a data user has possibly breached the PDPO. In addition to the general personal data protection framework under the PDPO, there are sector-specific personal data protection requirements imposed by some industry regulators (see question 35 below).
Personal Data (Privacy) (Amendment) Ordinance 2021 (the Amendment Ordinance)
On 8 October 2021, the Hong Kong SAR Government implemented the Amendment Ordinance, which amends the PDPO to include ‘doxxing’ offences. Doxxing is the act of publishing private or identifying information about an individual on the internet, typically for malicious purposes. The amendments fall into three categories:
- the criminalisation of certain doxxing conduct;
- the PCPD’s criminal investigation and prosecution powers in relation to such offences; and
- the PCPD’s power to direct the removal of doxxing content and issue cessation notices with extra-territorial effect.
The Amendment Ordinance provides two-tier doxxing offences as follows:
- disclosing personal data of a data subject without their consent, with an intent to cause specified harm to the data subject or any of their family members, or being reckless as to whether any specified harm would be or likely be caused – punishable on conviction by up to a HK$100,000 fine and 2 years’ imprisonment; and
- where, in addition to the above, a specified harm is actually caused to the data subject or their family members �� punishable on conviction by up to a HK$1,000,000 fine and 5 years’ imprisonment.
Please see question 42 below regarding the enforcement of the doxxing offences.
-
Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2024–2025 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments (together, “data protection laws”))?
The PDPO has been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), to strengthen the protection of data subjects. The proposed reforms include:
- establishing a mandatory data breach notification mechanism – to require the data user to (a) report data breaches as soon as practicable and, in any event, in not more than five business day, and (b) notify the impacted individuals where necessary;
- requiring data users to formulate an express and clear data retention policy – to specify a retention period for the personal data collected;
- empowering the PCPD to impose administrative fines directly for breaches of the PDPO – to raise the fine levels according to the annual turnover of the data user; and
- introducing direct regulation of data processors (who are not currently regulated directly) – to extend the obligation to protect personal data on data users as well as data processors.
While the PCPD continues to work towards updating the PDPO and to update the Legislative Council on the legislative amendments, the timing remains uncertain. In February 2024, the PCPD provided an update but did not confirm whether the legislative amendments would be carried out within 2024. In April 2024, the PCPD again did not confirm timing of the legislative amendments, but indicated that it would proactively carry out compliance checks and inspections.
-
Are there any registration or licensing requirements for entities covered by these data protection laws, and if so what are the requirements? Are there any exemptions?
No. There are currently no mandatory registration or licensing requirements for data users, data processors, or other person covered by the PDPO.
-
How do these data protection laws define “personal data,” “personal information,” “personally identifiable information” or any equivalent term in such legislation (collectively, “personal data”) versus special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction?
The PDPO adopts the key definitions “personal data“, “data subject“, “data user” (not ‘data controller’), and “data processor“:
Personal data means information which:
- relates directly or indirectly to a living individual;
- from which it is practicable to identify that individual directly or indirectly (including using other data held by the same data user); and
- is in a form in which access to or processing of the data is practicable.
There is no concept of sensitive personal data under the PDPO and there are no additional restrictions specifically imposed with respect to sensitive personal data. However, the PCPD has published certain codes and guidelines regarding the collection and use of certain types of personal data which will require special attention (including Hong Kong identity cards, biometric data and consumer credit data – see further question 8 below).
The type and sensitivity of personal data is also relevant in considering whether to give a voluntary data breach notification – the PCPD’s non-binding Guidance on Data Breach Handling and the Giving of Breach Notifications (https://www.pcpd.org.hk//english/resources_centre/publications/files/guidance_note_dbn_e.pdf), updated in June 2023 suggests giving a data breach notification to the PCPD and affected data subjects “as soon as practicable after becoming aware of a data breach, particularly if the data breach is likely to result in a real risk of harm to those affected data subjects“. This reflects the PCPD’s view that data breach notifications should be made in most case, even though they are not legally required under Hong Kong law.
Data Subject means a (living) individual who is the subject of personal data.
Data User means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. A data user is a person who makes a substantive decision as to how to use an item of personal data. There can therefore be more than one Data User in respect of any item of personal data (for example if different group entities use personal data for different reasons). The PDPO does not use the definition “data controller”.
Data Processor means a person who processes personal data on behalf of another person (a data user), instead of for his/her own purpose(s). A data processor can make technical decisions on how to implement a data user’s instructions regarding personal data, but cannot make any substantive decision without becoming a data user. Data processors are not directly regulated under the PDPO. Instead, data users are required, by contractual or other means, to ensure that their data processors meet the applicable requirements of the PDPO.
The Amendment Ordinance amends the PDPO to include the following definition (used in particular for the doxxing offences):
Specified harm means harassment, molestation, pestering, threat or intimidation to the person which may take the form of: psychological pressure; bodily or psychological harm to the person; harm causing the person reasonably to be concerned for or worried about the person’s safety or well-being; or damage to the property of the person.
Data breaches: There is currently no statutory definition of “personal data breach” in the PDPO. However, the PCPD is considering the inclusion of a definition as part of its review of the PDPO – the PCPD’s updated Guidance on Data Breach Handling and Data Breach Notifications gives an indication of the direction, defining a data breach as being generally regarded as “a suspected or actual breach of the security of personal data held by a data user, which exposes the personal data of data subject(s) to the risk of unauthorised or accidental access, processing, erasure, loss or use“.
-
What are the principles related to the general processing of personal data in your jurisdiction? For example, must a covered entity establish a legal basis for processing personal data, or must personal data only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The key principles under the PDPO for processing personal data are contained in the six DPPs (outlined at question 1 above). A main objective of the DPPs is to ensure that collection of personal data is minimal and conducted on a fully-informed basis and in a fair manner. Personal data should be processed securely, only kept for as long as necessary and use of the data should be limited to or related to the original collection purpose. The DPPs also outline data subjects’ rights to access and make corrections to their personal data.
-
Are there any circumstances for which consent is required or typically obtained in connection with the general processing of personal data?
DPP1(1)(a) provides that personal data must not be collected except for a lawful purpose directly related to a function or activity of the party that will use the data, while DPP1(3) requires that the data subject be notified explicitly of certain information related to the collection of data before the first collection (save for limited circumstances). The PDPO therefore adopts an initial ‘implied consent’ approach.
DPP3 prohibits the use of personal data for any new purpose which is not the original purpose when collecting the data (or a related purpose), except where the data subject’s express and voluntary consent has been obtained.
DPP1 and DPP3 combined mean that it is not possible to obtain a blanket consent (in a notice or agreement between the data user and data subject) that purports to give the data user the right to use personal data for any purpose whatsoever.
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
Other than as set out below, there are no requirements for the form in which consent is obtained or handled.
Despite the ability to rely on implied consent for primary data use, it is advisable to obtain written consent (which may be indicated by a signature or a tick box).
Use outside original purpose
As noted in question 6 above, DPP3 requires a data user to obtain express and voluntary consent to use personal data for new purposes beyond the initial purpose of collection.
Direct marketing
Part 6A of the PDPO requires that data users must obtain explicit informed consent of a data subject before using the data subject’s personal data for direct marketing or transferring the data to a third party for direct marketing. Silence cannot constitute consent. For further information on direct marketing see question 29 below.
Biometric data
Any consent obtained from a data subject for the collection of biometric data must be voluntary. Compulsory collection of biometric data without any legal basis or reasonable grounds might not be regarded as fair.
-
What special requirements, if any, are required for processing sensitive personal data? Are any categories of personal data prohibited from collection or disclosure?
There is no definition of sensitive personal data under the PDPO, although the PCPD uses the term in its guidance. The Guidance on Data Breach Handling and Data Breach Notifications expressly refers to the “kind and sensitivity” of leaked personal data as a factor to consider in assessing the risk of harm of a data breach: the more sensitive the data, the higher the risk of potential harm and the higher the expectation that a data breach notification be made.
DPP4(1)(a) provides that a data user must take all practicable steps to protect personal data by reference to the kind of data and the harm that could result from unauthorised collection or disclosure.
The PCPD has issued Codes of Practice (the Codes) covering certain types of sensitive personal data, relating to:
- Identity Card Numbers and Other Personal Identifiers (https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/picode_en.pdf);
- Human Resource Management (https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/hrdesp_e.pdf); and
- Consumer Credit Data (https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/CCDCode_2013_e.pdf).
The Codes are not legally binding, but a breach of a Code by a data user can give rise to a presumption against the data user in any legal proceedings under the PDPO.
The PCPD has also issued guidance on personal data collection and disclosure and use in certain scenarios, including by employers, schools, in certain industries (such as mobile service operators, property management, banking and insurance), for certain types of personal data (such as biometric data), and by certain methods (such as through the internet).
The PCPD has indicated across several of these guidance notes that sensitive personal data should be encrypted when transmitted, processed or stored.
Electronic Health data
In addition to the general requirements of the PDPO, the Electronic Health Record Sharing System Ordinance (Cap. 625) regulates the collection, sharing, use and safe-keeping of patients’ health data under the Electronic Health Record Sharing System. This relates to healthcare providers only. Further information on health data is set out at question 35 below.
-
How do the data protection laws in your jurisdiction address health data?
Electronic health data
In addition to the general requirements of the PDPO, the Electronic Health Record Sharing System Ordinance (Cap. 625) regulates the collection, sharing, use and safe-keeping of patients’ health data under the Electronic Health Record Sharing System. This relates to healthcare providers only. Further information on health data is set out at question 35 below.
Employees’ health data
The PCPD has issued the Guidance for Employers on Collection and Use of Personal Data of Employees during COVID-19 Pandemic (https://www.pcpd.org.hk/english/resources_centre/publications/files/covid19_pandemic.pdf) regarding the collection and use of personal data of employees. The guidance provides various recommendations to help employers and employees understand the employers’ obligations under the PDPO when it comes to the collection and use of employees’ health data in the context of the COVID-19 pandemic.
-
Do the data protection laws in your jurisdiction include any derogations, exclusions or limitations other than those already described? If so, please describe the relevant provisions.
Personal Data (Privacy) Ordinance (Cap. 486)
Part 8 of the PDPO exempts certain specified DPPs and provisions of the PDPO from applying to personal data held in specified circumstances, including (but not limited to):
- Personal data held by a court, a magistrate or a judicial officer in the course of performing judicial functions;
- Personal data relating to staff planning and personal references;
- Personal data held for the purposes of prevention or detection of crime, the apprehension, prosecution or detention of offenders and other similar provisions;
- Where personal data is disclosed to a data user involved in news activity and the disclosing person has reasonable grounds to believe (and reasonably believes) that the publishing or broadcasting is in the public interest; and
- Personal data covered by legal professional privilege.
These exemptions operate as a defence for data users that fail to comply with the exempted requirements under the PDPO. The exemptions applicable in each circumstance are different, and it is advisable to review the table published by the PCPD summarising the exemptions.
Personal Data (Privacy) (Amendment) Ordinance 2021
The Amendment Ordinance provides for four statutory defences for the two-tier doxxing offences (see question 1 above) including:
- where there was a reasonable belief that the disclosure was necessary for preventing or detecting crime;
- where there was a reasonable belief that the data subject gave their consent to the disclosure;
- where there was a reasonable belief that disclosure was in the public interest and was made for news activity purposes; and
- where the disclosure was required or authorised by law or a court order.
-
Do the data protection laws in your jurisdiction address children’s and teenagers’ personal data? If so, please describe how.
The PDPO does not contain specific provisions relating to children’s and teenagers’ personal data, although the PDPO and the DPPs apply equally to such data.
If the data subject is a child and their consent is required for the collection of personal data, a parent or guardian may give the prescribed consent. The PCPD has issued Guidance on the Collection and Use of Personal Data through the Internet – Points to Note for Data Users Targeting at Children (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_children_e.pdf), which specifically relates to the collection of children’s data, as well as a series of publications and activities to promote children’s personal data privacy (including a Children Privacy ‘thematic website’).
The PCPD has not issued any specific guidance specifically addressing teenagers’ personal data. The PCPD has, however, held that “collection of personal data from teenagers involve[s] great privacy concerns” and it is the responsibility of persons collecting personal data from teenagers to “clearly explain the application form… so that they would not provide the personal data of their parents without their knowledge” (https://www.pcpd.org.hk/english/enforcement/case_notes/casenotes_2.php?id=2019C03&content_type=1&content_nature=&msg_id2=500).
-
Do the data protection laws in your jurisdiction address online safety? Are there any additional legislative regimes that address online safety not captured above? If so, please describe.
The PDPO does not contain specific provisions relating to online safety.
The PCPD has, however, issued media statements calling for greater vigilance when teenagers go online, or chat on internet, online social platforms or via instant messaging (https://www.pcpd.org.hk/english/news_events/media_statements/press_20201123.html). The PCPD also recommends that parents and teachers try to better understand teenagers’ online habits and related potential risks and remind teenagers to be more vigilant when they go online.
-
Is there any regulator in your jurisdiction with oversight of children’s and teenagers’ personal data, or online safety in general? If so, please describe, including any enforcement powers. If this regulator is not the data protection regulator, how do those two regulatory bodies work together?
The PCPD is the designated personal data privacy regulator regardless of age. An individual can complain to the PCPD if they suspect a data user has possibly breached the PDPO.
There is no designated regulator for overseeing children’s and teenagers’ online safety in Hong Kong. An individual may seek help from the PCPD for data privacy issues or report to the Hong Kong Police Force if the complaint is criminal in nature.
-
Are there any expected changes to the online safety landscape in your jurisdiction in 2024–2025?
There are no expected changes to the online safety landscape in Hong Kong in 2024–2025. However, the upcoming amendments to the PDPO may include amendments that touch on online safety.
-
Does your jurisdiction impose ‘data protection by design’ or ‘data protection by default’ requirements or similar? If so, please describe the requirement(s) and how businesses typically meet such requirement(s).
The PDPO does not impose ‘data protection by design’ or ‘data protection by default’ as requirements.
The PCPD encourages business to adopt data protection by design and has developed (jointly with the Singapore Personal Data Protection Commission) a Guide to Data Protection By Design for ICT systems (https://www.pcpd.org.hk//english/resources_centre/publications/files/Guide_to_DPbD4ICTSystems_May2019.pdf).
-
Are controllers and/or processors of personal data required to maintain any internal records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).
There is no mandatory obligation in the PDPO for data users and data processors to keep records of their processing activities. However, the PCPD’s Guidance on Outsourcing the Processing of Personal Data to Data Processors (https://www.pcpd.org.hk/english/publications/files/dataprocessors_e.pdf) recommends keeping records of all personal data transferred to a third party for processing.
Under the DPPs, data users engaging a data processor (within or outside Hong Kong) must adopt contractual or other means to:
- prevent any personal data transferred from being kept longer than is necessary for processing (DPP2(3)); and
- prevent unauthorised or accidental access, processing, erasure, loss or use (DPP4(2)).
The PCPD recommends incorporating additional contractual clauses in service contracts or entering into separate contracts with data processors, that could impose obligations such as keeping records and immediate reporting of any sign of abnormalities or security breaches.
The PDPO also includes provisions prohibiting the transfer of personal data outside Hong Kong (and the transfer between two jurisdictions outside Hong Kong where the data user is in Hong Kong) unless certain conditions are met. However, these provisions have never been brought into effect.
In addition to these provisions, it is recommended for data users and data processors to keep records of data processing activities in order to be able to respond promptly and comprehensively to any enquiry or investigation by the PCPD into compliance with the DPPs, or to any complaint by a data subject.
As noted in question 1 above, the PCPD is considering specific legal obligations for data processors, but these are not yet known.
-
Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).
Under the PDPO there is currently no specified data retention period nor any statutory obligation to maintain a data retention policy.
Under DPP2, data users must take all practicable steps to ensure that personal data is accurate and is not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If a data user engages a data processor for handling personal data of other persons, the data user should adopt contractual or other means to ensure that the data processor complies with the same retention requirement.
In accordance with section 26 of the PDPO, data users must take all practicable steps to erase personal data held when the data is no longer required for the purpose which it was used, unless any such erasure is prohibited under law or it is in the public interest not to have the data erased.
As noted in question 1 above, the PCPD is currently considering a prescribed data retention period, and requirement for data users to have a data retention policy (likely to be supplemented by templates and guidelines published by the PCPD).
-
Under what circumstances is a controller operating in your jurisdiction required or recommended to consult with the applicable data protection regulator(s)?
There is currently no obligation to consult with the PCPD, or to issue data breach notifications to the PCPD.
In June 2023, the PCPD issued new Guidance on Data Breach Handling and Data Breach Notifications To Safeguard Data Security (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf). Even though data breach notifications are not mandatory in Hong Kong, the updated guidance indicates that the PCPD expects organisations to notify the PCPD and affected data subjects ‘as soon as practicable’ after becoming aware of a data breach, particularly (but not only) if the data breach is likely to result in a real risk of harm to those affected data subjects.
The PCPD has also launched an e-Data Breach Notification Form making it easier to file a data breach notification with the PCPD (https://www.pcpd.org.hk/english/enforcement/data_breach_notification/dbn_form.html). The online form is a web-based form with guided questions and multiple-choice answers which enables organisations to understand the details and potential impact of data breach incidents more comprehensively and effectively.
Data breach notifications are currently voluntary. However, the PCPD can take into account whether data breach notifications were given in considering whether a data user has complied with the DPPs (in particular DPP4 – data security), and the updated guidance makes clear that the PCPD expects data breach notifications in most cases. From 2023 to April 2024, the PCPD issued 5 investigation reports relating to hacking and improper handling of personal data, and indicated that data breach notifications should be made on a timely basis.
In 2023, the PCPD received 157 data breach notifications, with 48 from the public sector and 109 from the private sector. This represented a significant increase of nearly 50% compared to 105 data breach notifications in 2022. The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by fax, email or post, employee misconduct and system misconfiguration, etc. The number of data breach notifications involving hacking more than doubled, showing a significant increase from 29 cases in 2022 (constituted 28% of data breach incidents in 2022) to 64 cases in 2023 (constituted 41% of data breach incidents in 2023).
The PCPD’s review of the PDPO includes the potential introduction of mandatory data breach notifications to both the PCPD and data subjects within a specified timeframe (still to be set).
-
Do the data protection laws in your jurisdiction require or recommend risk assessments in connection with data processing activities and, if so, under what circumstances? How are these risk assessments typically carried out?
Although not mandatory, the PCPD recommends that organisations implement a Privacy Management Programme, which should include periodic risk assessments and privacy impact assessments (see the PCPD’s Privacy Management Programme: A Best Practice Guide (https://www.pcpd.org.hk/english/publications/files/PMP_guide_e.pdf)).
The PCPD recommends that organisations conduct yearly risk assessments to ensure their privacy policies comply with the PDPO and privacy impact assessments before launching any new projects, products or services to determine potential privacy risks at an early stage (and make any necessary changes and improvements).
-
Do the data protection laws in your jurisdiction require a controller’s appointment of a data protection officer, chief information security officer, or other person responsible for data protection, and what are their legal responsibilities?
No. The PDPO does not require organisations to appoint a data protection officer, a chief information security officer or other similar officer, although the PCPD recommends that organisations implement a Privacy Management Programme including the appointment of a responsible person to oversee compliance with the PDPO.
Organisations may need to appoint a DPO or representative under any other laws to which their activities may be subject (such as PRC law).
-
Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s).
Several non-binding guidance notes from the PCPD recommend employee training, including the recommended Privacy Management Programme. Whether training has been provided / undertaken may be a factor the PCPD considers in assessing whether there has been a breach of a DPP.
-
Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).
Under DPP1(3) PDPO, on or before the collection of personal data from a data subject, the data user must take all practicable steps to inform the data subject various information about the processing of the data, including:
- the purposes for which the personal data will be used;
- whether supplying the personal data is obligatory or voluntary and the consequences for failing to supply obligatory information;
- the classes of persons to whom personal data may be transferred or disclosed;
- if applicable, information about the use and/or provision of personal data for direct marketing; and
- data subjects’ rights of access to and correction of their personal data, and the contact details for the person responsible for handling those requests.
Exemptions to this rule exist, including where the personal data was not collected directly from the data subject or if the data could not be used to re-identify the data subject.
In practice, data users provide a Personal Information Collection Statement (PICS) or privacy notice. Where direct communication with a data subject is not possible, the data user should consider other practical alternatives to bring the notice to the attention of the data subject such as including a PICS or privacy notice on the relevant website. In AAB No. 25/1999, a hospital was found to have breached DPP1(3) by failing to take all reasonably practicable steps to bring the PICS to the attention of its private patients (finding that a notice displayed in the waiting room was not prominent enough).
-
Do the data protection laws in your jurisdiction draw any distinction between the controllers and the processors of personal data, and, if so, what are they?
Yes, the PDPO draws a distinction between data users and data processors (see question 4 above).
Data processors (in that capacity) are subject to obligations by way of flow-down contractual or other means which a data user must adopt, e.g. to prevent any personal data being kept longer than is necessary for processing (DPP2(3)) and to prevent unauthorised or accidental access, processing, erasure, loss or use of the data (DPP4(2)).
A data processor can also be a data user if it decides the purpose for and manner in which personal data is to be processed (rather than simply the technical methods by which a data user’s instructions will be carried out).
While data processors are not subject to the PDPO, data users that use data processors to process personal data on their behalf (or for their purposes) are liable for any violations of the PDPO by the data processor as if they were processing the personal data themselves.
The PCPD has issued non-mandatory Guidelines on Outsourcing the Processing of Personal Data to Data Processors (https://www.pcpd.org.hk/english/publications/files/dataprocessors_e.pdf).
-
Do the data protection laws in your jurisdiction place obligations on processors by operation of law? Do the data protection laws in your jurisdiction require minimum contract terms with processors of personal data?
There are no minimum contract terms, or standard contractual clauses, required for processors of personal data. Data users are free to consider what obligations best fit the circumstances (such as the amount and sensitivity of personal data involved, the nature of the data processing and the harm that may result from a security breach), although contractual obligations implemented to fulfil the data user’s obligations under DPP2(3) and DPP4(2) may include:
- Security measures required to be taken by the data processor to protect the personal data;
- Timely return, destruction or deletion of personal data when it is no longer required for the purpose it was entrusted to the data processor;
- Measures to be taken by the data processors, such as policies and procedures and training for staff; and
- A data user’s right to audit and inspect how the data processor handles and stores personal data.
-
Are there any other restrictions relating to the appointment of processors (e.g., due diligence, privacy and security assessments)?
There are no formal restrictions relating to the appointment of processors. However, the PCPD may take into account a data user’s procedures for appointing a data processor in its inspections. The PCPD has indicated in various inspection reports that organisations should carry out the following steps in appointing data processors:
- Incorporate procedures relating to the handling of data breaches into contracts signed with data processors, so that both parties may promptly respond to and take remedial actions on data breach incidents;
- Conduct a privacy impact assessment on data processors’ work practices and procedures before engaging them to handle personal data, so as to analyse the data processing steps and evaluate the associated privacy risks, thus facilitating the introduction of measures that could forestall or mitigate the impact on personal data privacy;
- After the appointment of data processors, carry out regular assessment on the data processors’ handling of personal data to consider if they have fulfilled the mutually agreed standards, and formulate proper response plans with data processors when unforeseeable privacy risks arise; and
- Consider revising the policy for appointing data processors and reviewing the contractual terms with a data processor on protection of personal data privacy.
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these terms defined, and what restrictions on their use are imposed, if any?
There are currently no laws or restrictions dealing specifically with tracking technologies such as cookies or profiling and automated decision making. However, online tracking activities must comply with the provisions of the PDPO.
The PCPD has issued an information leaflet on Online Behavioural Tracking (https://www.pcpd.org.hk/english/publications/files/online_tracking_e.pdf) which reiterates the need for organisations to comply with the requirements of the PDPO, including the DPPs, if their online tracking involves the collection of personal data. The PCPD recommends that organisations:
- Inform users of the types of information that are being tracked and whether any third party is tracking their behavioural information;
- Offer users a way to opt out of the tracking; and
- If personal data of website users is being collected, a PICS must be provided to data subjects (outlined under DPP1(3)).
Online tracking information held by data users should be accurate, should not be kept for longer than necessary, and should only be used for the purposes originally stated at the time of collection. Data subjects’ express and voluntary consent must be given for any change to the purpose of use.
If cookies are used to collect behavioural information, it is also recommended that a reasonable expiry date for the cookies is pre-set, that the contents of the cookies are encrypted whenever appropriate, and that organisations do not deploy techniques that ignore browser settings on cookies unless they can offer an option to website users to disable or reject the cookies.
If a website deploys third-party cookies, regardless of whether any personal data is involved, it should state clearly what kind of information the cookies collect, to whom the information may be transferred and for what purposes.
Organisations which use online tracking technologies should also adopt privacy-enhancing technologies to minimise the risk of personal data exposure, such as encryption or hashing to maintain data confidentiality, a ‘robots exclusion protocol’ to prevent search engines from indexing websites, and ‘anti-robot verification’ to stop databases from being downloaded in bulk by automation.
Further guidance can be found in the PCPD’s Guidance for Data Users on the Collection and Use of Personal Data through the Internet (https://www.pcpd.org.hk//english/resources_centre/publications/files/guidance_internet_e.pdf).
-
Please describe any restrictions on targeted advertising and/or cross-contextual behavioral advertising. How are these terms or any similar terms defined?
The PDPO does not include a definition for, nor specifically regulate, ” targeted advertising” or “cross-contextual behavioural advertising”, although the PCPD has provided guidance on online behavioural tracking. Also, direct marketing without consent is an offence in Hong Kong.
As noted in question 26 above, there are no restrictions on online tracking for advertising or marketing purposes. However, organisations carrying out such activities should adopt the following best practices in compliance with the requirements under the PDPO (including the DPPs):
- inform users what type of information is being collection or tracked by them, the purpose of collection, how the information is collected, whether the information will be transferred to third parties (and, if so, the third party and the purpose of the transfer), whether the information will be combined with other information to track/profile users and for how long the information will be kept;
- inform users whether any third-party is collecting or tracking their behavioural information. As the organisation engages the third-party to collect or track user behaviour, it is the organisation’s responsibility to understand from the third-party what information is being collected and the means by which the information is collected. Organisations should inform users of the nature of such third-parties, purpose and means of collection, retention period and whether such information collected would be further transferred to other parties by the third party; and
- respect any user’s wish not to be tracked or to offer users a way to opt out of the tracking (especially if this is conducted by third-parties) and inform them of the consequence of opting out. If it is not possible to opt out of tracking while using the website, explain why this is not possible so that website users can decide whether to continue using the website.
-
Please describe any data protection laws in your jurisdiction addressing the sale of personal data. How is the term “sale” or such related terms defined, and what restrictions are imposed, if any?
Although the sale of personal data is not specifically prohibited by the PDPO, it would not normally be regarded as the original purpose of data collection or a directly-related purpose. In these circumstances, explicit and voluntary consent from the data subject must be sought in compliance with DPP3. Consent may be indicated by a signature or a tick box.
-
Please describe any data protection laws in your jurisdiction addressing telephone calls, text messaging, email communication, or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
Direct marketing
The PDPO contains express provisions related to the use of personal data for direct marketing. The PDPO defines “direct marketing” as:
- the offering, or advertising of the availability, of goods, facilities or services; or
- the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political of other purposes,
through “direct marketing means”.
“Direct marketing means” are in turn defined as:
- sending information or goods, addressed to specific persons by name, by mail, fax, e-mail or other means of communication; or
- making telephone calls to specific persons.
It does not include communications that are not directed to a specific individual, e.g. a marketing call to the unidentified owner of a particular telephone number (which is regulated under the Unsolicited Electronic Messages Ordinance (Cap. 593)).
Using personal data for direct marketing purposes
The PDPO places detailed prescriptions on the manner in which personal data can be used for direct marketing, the information that a data user must provide to the data subject in order to be able to use the personal data for direct marketing, and the express prior consent that the data user must obtain from a data subject in order to be able to use personal data for direct marketing purposes.
The PCPD has made clear that sending individuals an opt-out message is not a valid channel of obtaining consent.
If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use (s.35G of the PDPO). The data subject should be informed of this right on the first occasion that the data user contacts the data subject for direct marketing purposes (s.35F of the PDPO).
Provision of Personal Data to a Third Party for Direct Marketing Purposes
A data user must also not provide personal data to a third party for its direct marketing use without the data subject’s informed written consent (s.35K of the PDPO), having notified the data subject of various factors relating to the proposed transfer and use of the personal data (pursuant to s.35J of the PDPO).
-
Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined, and what restrictions are imposed, if any?
Biometric data falls within the definition of personal data for the purposes of the PDPO, both in the form of physiological data with which individuals are born and behavioural data developed by an individual after birth. It is potentially sensitive data, and any disclosure could lead to harm to the data subject. Persons collecting and / or using (or controlling) biometric data must therefore comply with the PDPO as data users.
The PCPD has issued Guidance on Collection and Use of Biometric Data (https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_biometric_e.pdf ), including several recommendations on how to handle and keep biometric data in compliance with the PDPO and DPPs (including, for example, to conduct a privacy impact assessment prior to collecting biometric data, to encrypt biometric data both at rest and in transit, and to restrict access to biometric data to authorised persons on a need-to-know basis).
-
Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (“AI”).
There is no direct regulation under PDPO addressing AI. Given the increasing popularity of AI, the PCPD has published the Guidance on the Ethical Development and Use of Artificial Intelligence (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf) to assist organisations in adhering to international principles in the development and use of AI.
The PCPD has also published a leaflet entitled 10 TIPS for Users of AI Chatbots, which aims to help users protect their personal data privacy and provide tips on the safe use of AI chatbots.
The Office of the Government Chief Information Officer (the OGCIO) has formulated an Ethical Artificial Intelligence Framework in consultation with the PCPD and by reference to the PCPD’s AI Guidance. The Ethical AI Framework aims to provide Hong Kong Government bureaux and departments with guidance when implementing projects that involve the use of AI technology, and to identify and manage the potential risk of the relevant project and other issues (such as privacy, data security and management, etc.).
-
Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)
Section 33 of the PDPO restricts cross-border transfers of personal data, but this provision has never been brought into force. In a briefing to the Hong Kong Legislative Council on 20 February 2023, the PCPD made no mention of the timeline for the implementation of this provision. Data users must therefore comply with their other obligations under the PDPO in any such transfer, including obtaining consent for the proposed use and transfer of personal data. The PCPD has issued the Guidance on Personal Data Protection in Cross-border Data Transfer (https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_crossborder_e.pdf) which serves as a practical guide for data users to prepare for the future implementation of section 33.
To help data users enter into clear agreements for cross-border personal data transfers in compliance with the requirements of the PDPO and good data ethics, the PCPD issued the Guidance on Personal Data Protection in Cross-border Data Transfer in December 2014 (https://www.pcpd.org.hk/english/resources_centre/publications/files/GN_crossborder_e.pdf) and the Guidance on Recommended Model Contractual Clauses for Cross-border Transfer of Personal Data in May 2022 (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_model_contractual_clauses.pdf) for data users’ reference.
For data flow within the Guangdong-Hong Kong-Macao Greater Bay Area, the PCPD has recommended that individuals and organisations adopt the “Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)” (the GBA Standard Contract) (https://www.pcpd.org.hk/english/data_privacy_law/mainland_law/files/gba_sc.pdf), formulated jointly by the Hong Kong Innovation, Technology and Industry Bureau (the ITIB), the Cyberspace Administration of China (the CAC) and the PCPD. The GBA Standard Contract aims to promote the safe and orderly cross-boundary flow of personal information within the GBA (https://www.pcpd.org.hk//english/resources_centre/publications/files/standard_contract_gba.pdf).
Adoption of a GBA Standard Contract is voluntary. Individuals and organisations within Mainland China or Hong Kong may enter into a GBA Standard Contract, in accordance with the Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (https://www.ogcio.gov.hk/en/our_work/business/cross-boundary_data_flow/doc/gbascc00_gn_scc_en.pdf), using a standard form to outline the obligations and responsibilities of both contractual parties in protecting the personal information being transferred across the boundary.
The GBA Standard Contract applies to personal information processors and recipients registered in Mainland cities within the GBA (i.e. Guangzhou, Shenzhen, Zhuhai, Foshan, Huizhou, Dongguan, Zhongshan, Jiangmen and Zhaoqing) and conduct cross-boundary flow of personal information between these Mainland cities and Hong Kong. The personal information processor, by entering into a GBA Standard Contract may provide personal information across the boundary but may not onward transfer the information outside the GBA.
-
What security obligations are imposed on data controllers and processors, if any, in your jurisdiction?
DPP4 requires data users to “take all practicable steps” to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. It does not impose an obligation to actually prevent such events occurring.
In determining what constitutes practicable steps, the data user should consider:
- The nature of the data and the damage that could result from unauthorised or accidental access, processing, erasure, loss, or use;
- The physical location of the data;
- Any physical security measures available for the equipment storing personal data;
- Any measures for ensuring the integrity, discretion, and competence of those with access to the data; and
- Any measures for ensuring secure transmission of the data.
-
Do the data protection laws in your jurisdiction address security breaches and, if so, how do such laws define a “security breach”?
There is no statutory definition of ‘security breaches’. The PCPD’s previous Guidance on Data Breach Handling and the Giving of Breach Notifications (https://www.pcpd.org.hk/english/resources_centre/publications/files/DataBreachHandling2015_e.pdf) explains that a ‘security breach’ is “generally taken to be a suspected breach of data security of personal data held by a data user, exposing the data to the risk of unauthorised or accidental access, processing, erasure, loss or use” and may amount to a contravention of DPP4(1) and (2). The PCPD’s updated Guidance issued in June 2023 does not define a “security breach” but defines “data breach” to include a “suspected or actual breach of the security of personal data“.
See question 18 above for further consideration of the PCPD’s new guidance issued in June 2023 in relation to a data breach.
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecom, infrastructure, AI)?
Given the general scheme of the PDPO, several sectors and industries impose their own additional data security obligations. These include banking and financial services, insurance and telecommunications, which have their own codes of practices and guidelines published by the PCPD and their own sector specific regulations.
Banking and financial services
PCPD
The PCPD has published a Code of Practice on Consumer Credit Data (https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/files/CCDCode_2013_e.pdf) (which provides practical guidance to data users in handling the collection, accuracy, use, security and access, and correction related to personal data of applicants for consumer credit), and Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry (https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_banking_e.pdf) (which provides practical guidance to the banking industry on understanding and complying with relevant data protection requirements under the PDPO, and suggested best practice for the collection, accuracy, retention, use, security of and access to customers’ personal data).
HKMA
The Hong Kong Monetary Authority (HKMA) has issued several Circulars (https://www.hkma.gov.hk/eng/regulatory-resources/regulatory-guides/by-subject-current/technology-risk-management/?&t=1679558501964) related to technology risk management to provide guidance and reminders in relation to the technological security requirements and controls to be observed by authorised financial institutions.
The HKMA has also issued Guidance on Cloud Computing, which addresses the increased cyber risks that of authorised institutions deploying cloud services for more important functions (https://www.hkma.gov.hk/media/eng/doc/key-information/guidelines-and-circular/2022/20220831e1.pdf).
SFC
The Securities and Futures Commission (SFC) has also issued guidance and FAQs (https://www.sfc.hk/en/Regulatory-functions/Intermediaries/Supervision/Search-regulations-by-topic/Cybersecurity) and circulars on cybersecurity most recently in relation to the following topics:
- internet trading (https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=20EC58),
- remote office arrangements (https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=21EC41),
- use of external electronic data storage – circular and a set of accompanying FAQs (https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=19EC59 and https://www.sfc.hk/en/faqs/intermediaries/supervision/Use-of-External-Electronic-Data-Storage/Use-of-External-Electronic-Data-Storage),
- risks of business email compromise (https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/intermediaries/supervision/doc?refNo=22EC25), and
- online brokerage, distribution and advisory services (https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/suitability/doc?refNo=22EC52).
The SFC’s Code of Conduct for Persons Licensed by and Registered with the Securities and Futures Commission (https://www.sfc.hk/-/media/EN/assets/components/codes/files-current/web/codes/code-of-conduct-for-persons-licensed-by-or-registered-with-the-securities-and-futures-commission/Code_of_conduct_05082022_Eng.pdf?rev=0fd396c657bc46feb94f3367d7f97a05) (last updated in January 2024) provides specific provisions relating to information security, including section 12.5 (requiring a licensed or registered person to report to the SFC immediately upon “any material failure, error or defect in the operation or functioning of its trading, accounting, clearing or settlement systems or equipment“) and section 18.5 (requiring a licensed or registered person to ensure the integrity and security of any electronic trading system it uses or provides to clients). The SFC has also stated its expectation that a licensed or registered person should report a “material cybersecurity breach“.
Whether a security breach must be notified to the SFC will therefore depend on the extent and impact of the breach. A licensed or registered person may choose to notify the SFC of a breach voluntarily, particularly given the SFC’s recent attention to cybersecurity in thematic reviews and regulatory audits.
Hong Kong Government
The OGCIO has formulated a set of comprehensive Government IT Security Policy and Guidelines (https://www.ogcio.gov.hk/en/our_work/information_cyber_security/government/), setting out the requirements for establishing, implementing, maintaining and continuously improving the information security management system for all bureaux/departments to follow. The OGCIO has uploaded the Policy and Guidelines to the Internet for reference by all public and private organisations.
Insurance
The PCPD has published Guidance on the Proper Handling of Customers’ Personal Data for the Insurance Industry (https://www.pcpd.org.hk//english/resources_centre/publications/files/GN_insurance_e.pdf), which provides practical guidance to insurance institutions on complying with the PDPO and DPPs when handling data in their business operation. For example, in the collection of customers’ medical data and PII, and the engagement of private investigators in insurance claims.
The Insurance Authority has also issued the Guideline on Cybersecurity (https://www.ia.org.hk/english/legislative_framework/files/GL20.pdf), which outlines the minimum standards that authorised insurers are expected to meet in relation to the handling of personal data of existing or potential policyholders. Whilst these Guidelines do not have the force of law, they are taken into account by the Insurance Authority when considering fitness and properness of the directors or controllers of authorised insurers to which the Guidelines apply, and non-compliance may impact upon this. In particular, this sets out that authorised insurers are expected to put in place and maintain a cybersecurity strategy and framework. There are also sector-specific guidelines, such as the Guideline on Medical Insurance Business (https://www.ia.org.hk/english/legislative_framework/files/GL31.pdf), which advises that authorised insurers and licenses insurance intermediaries should “at all times, exercise due care and diligence in collecting, handling, storing, using, transferring and erasing customers’ personal data” and comply with the PDPO and its guidance.
Telecommunications
The PCPD has published the Guidance for Mobile Service Operators (https://www.pcpd.org.hk//english/resources_centre/publications/files/MSO_e.pdf), providing practical guidance to mobile service operators to comply with the PDPO in their business operations e.g. collection of personal data when handling mobile phone service applications, maintenance of customers’ service accounts and relevant retention/change of customers’ personal data etc.
The Office of the Communications Authority has also issued the Guidelines on the Security Aspects for the Design, Implementation, Management and Operation of Public Wi-Fi Service (https://www.coms-auth.hk/filemanager/statement/en/upload/388/gn182016e.pdf), aimed at operators providing “adequate security measures in their networks to protect user data communications” including protecting the confidentiality and integrity of user data (among other things).
Information and Communications Technology
The PCPD has published the Guidance Note on Data Security Measures for Information and Communications Technology (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_datasecurity_e.pdf), providing data users with recommended data security measures such as risks assessments, data governance and organisational measure, and technical operational security measure for the ICT industry to facilitate their compliance with the relevant requirements under the PDPO. It also provides data users with pointers towards good practices in strengthening their data security systems.
Human Resource Management
The PCPD has issued the Code of Practice on Human Resource Management (https://www.pcpd.org.hk/english/ordinance/files/ehrm_e.pdf) and an information leaflet on Human Resource Management: Common Questions (https://www.pcpd.org.hk//english/resources_centre/publications/files/Some_Common_Question_Eng.pdf) to provide practical guidance to data users performing human resource management functions and activities. Non-compliance with any mandatory provisions of the Code will count unfavourably against the data user both in any investigation before the PCPD, and in any judicial case related to any alleged breach of the PDPO.
The PCPD has also issued the Guidance for Employers on Collection and Use of Personal Data of Employees during COVID-19 Pandemic (https://www.pcpd.org.hk/english/resources_centre/publications/files/covid19_pandemic.pdf) regarding the collection and use of personal data of employees. The guidance provides various recommendations with the aim to help employers and employees to understand the employers’ obligations under the PDPO when it comes to the collection and use of employees’ health data in the context of the COVID-19 pandemic.
Health data
The PCPD has published the Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals) (https://www.pcpd.org.hk/english/resources_centre/publications/files/eHRSS_Points_to_Notes_ENG.pdf), providing practical guidance to public and private healthcare providers in the handling, accessing and sharing of patients’ personal data through the Electronic Health Record Sharing System in compliance with the PDPO.
Property management
The PCPD has published the Guidance for Property Management Sector (https://www.pcpd.org.hk/english/resources_centre/publications/files/property_e.pdf) to assist property management bodies in understanding and complying with the PDPO in specific situations which may arise during their operations.
AI
There is no express regulation of the use of AI under the PDPO. Given the increasing popularity of AI, the PCPD has published the Guidance on the Ethical Development and Use of Artificial Intelligence (https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf) to assist organisations in adhering to international principles in the development and use of AI. The PCPD has also published a leaflet entitled 10 TIPS for Users of AI Chatbots (https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_chatbot_leaflet.pdf), which aims to help users of AI protect their personal data privacy and provide tips on the safe use of AI chatbots.
The Office of the Government Chief Information Officer (the OGCIO) has formulated the Ethical Artificial Intelligence Framework having consulted the PCPD and drawn reference to the PCPD’s AI Guidance. The aim is to provide Hong Kong Government bureaux and departments with guidance when implementing projects that involve the use of AI technology, and to identify and manage the potential risk of the relevant project and other issues (such as privacy, data security and management, etc.).
Electronic food ordering at restaurants
The PCPD has issued a leaflet on Food Ordering Using Mobile Apps or QR Codes at Restaurants: Tips for Protecting Privacy containing tips on protecting privacy in electronic food ordering at restaurants (https://www.pcpd.org.hk/english/resources_centre/publications/files/foodordering_leaflet.pdf).
-
Under what circumstances must a business report security breaches to regulators, impacted individuals, law enforcement, or other persons or entities? If breach notification is not required by law, is it recommended by the applicable regulator in your jurisdiction, and what is customary in this regard in your jurisdiction?
There is no legal requirement under the PDPO to report security breaches to the PCPD. The PCPD has recommended that businesses should report a data security breach as part of proper data breach handling. Please see question 18 above.
The PCPD is considering with the HKSAR Government whether to introduce mandatory data breach notification obligations. See questions 2 and 18 above.
Businesses may also face sector-specific breach notification obligations under applicable regulations, such as the SFC. See question 35 above.
-
Does your jurisdiction have any specific legal requirements or guidance for dealing with cybercrime, such as in the context of ransom payments following a ransomware attack?
There is no single piece of legislation in Hong Kong that deals specifically with handling cyber-crimes. Section 161 of the Crimes Ordinance (Cap. 200) provides offences related to accessing a computer with criminal or dishonest intent including an offence of “obtain[ing] access to a computer” with a dishonest intent or objective.
The official position of Hong Kong law enforcement authorities is that they do not recommend paying a ransom. However, there is no law in Hong Kong specifically prohibiting the payment of ransoms.
Section 25 of the Organised and Serious Crimes Ordinance (Cap. 455) (OSCO) provides an offence for any person (including a victim) to make a payment to a person when they know or have reasonable grounds to believe that the ransom payment represents the proceeds of an indictable offence.
In the case of HKSAR v Tsang Wai Lun Wayland and others [2014] 4 HKC 101, the Court of Final Appeal held that “proceeds of an indictable offence” does not include ‘clean’ money intended to be used as an instrument for committing an indictable offence. However, if there is a relationship of ‘reward’ linking the payment and the commission of the offence, the payment may qualify under OSCO. Therefore, there is a risk that a ransom payment may be considered “proceeds of an indictable offence” if it was paid in the knowledge that it was a bribe paid to obtain a decryption key for the release of data.
The specific application to a cyber ransom payment has not yet been tested in the Hong Kong Courts. However, Hong Kong generally follows the Common Law and the English Court of Appeal held that a ransom payment only becomes criminal property in the hands of the recipient (in the case of a cyberattack, the threat actors), rather than when in the hands of a payer (R v L & Ors [2005] EWCA Crim 1579, dealing with the position under s.327 of the English Proceeds of Crime Act 2002).
That said, section 25A OSCO provides a defence to a prosecution under s.25 OSCO if the victim notifies an “authorised officer” (i.e. the Hong Kong police) of the payment in advance and obtains consent, or if the victim notifies an authorised officer as soon as it is reasonable to do so after making the payment.
A person considering paying a ransom must check relevant sanctions lists to ensure that the recipient is not a known terrorist organisation or sanctioned person.
There are also industry-specific data breach notification requirements. Please see question 35 above.
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
No. The Hong Kong Computer Emergency Response Team (HK Cert) and the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB) and Anti-Deception Coordination Centre (ADCC), have been established to help victims of cybercrime, but they are not cybersecurity regulators.
The Hong Kong Police Force maintains an e-Crime Processing and Analysis Hub (e-Hub) to provide a one-stop platform for receiving cybercrime and deception reports, correlation analysis and case referral, aiming at enhancing the effectiveness in processing these reports.
-
Do the data protection laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, any exceptions and any other relevant details.
Yes. Data subjects are entitled to information and other specific rights under the PDPO and DPPs.
DPP5 provides a right of access to information by requiring that all practicable steps must be taken to ensure that a data subject can be informed of the kinds of personal data a data user holds and the main purposes for which this data is or is to be used.
DPP6 also provides a data subject with the right to:
- ascertain whether a data user holds personal data of which s/he is the data subject;
- request access to personal data, within a reasonable time, for a fee which is not excessive, in a reasonable manner and in a form that is intelligible;
- request the correction of personal data; and
- object to any refusal of access.
Part 5 of the PDPO provides detailed provisions regarding the manner and timeframe for compliance with data access and correction requests. A data user must comply with the data access or correction requests within 40 calendar days of receipt, and if the data user is unable to comply with the requests within this period, a written notice of the inability and reasons must be given to the data subject, and the data user must comply with the request as soon as practicable (ss.19 and 23 of the PDPO).
Data subjects have a right to withdraw their consent to using their personal data for direct marketing purposes at any time, and the data user must comply by stopping all such use of their personal data (s.35G of the PDPO).
There is no specific right under the PDPO to request deletion of data, but data users are required to take all practical steps to erase personal data when it is no longer required to fulfil the original purposes of collection and use, unless the erasure is prohibited by law or it is in the public interest not to erase the data (s.26(1) of the PDPO).
Sections 20 and 24 of the PDPO provide certain exceptions to a data user’s obligation to comply with data access or correction requests, for example where the data subject does not supply enough information to verify his/her identity. A data user may also refuse to comply with a data access or correction where:
- it is not supplied with enough information to locate the applicable personal data;
- the request is not made in writing in Chinese or English;
- the request follows two or more similar requests and it is unreasonable for the data user to comply with the request;
- (concerning data access requests) the request is not made on the specified Data Access Request Form;
- (concerning data correction requests) the data user is not supplied with information as it may reasonably require to ascertain the relevant personal data’s inaccuracy, or that the correction is accurate; or
- any of the exemptions specified under Part 8 of the PDPO applies.
The PCPD has published Guidance Notes on the Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users (https://www.pcpd.org.hk//english/resources_centre/publications/files/dar2020_e.pdf), and the Proper Handling of Data Correction Request by Data Users (https://www.pcpd.org.hk//english/resources_centre/publications/files/dcr_e.pdf).
-
Are individual data privacy rights exercisable through the judicial system, enforced by a regulator, or both?
Individual data privacy rights can be enforced by either:
- the PCPD, who carries out investigations upon data subjects’ complaints on possible breaches of their rights in handling their personal data; or
- a data subject through the civil courts, where the data subject can show that they have suffered damage resulting from a data user’s infringement of the data subject’s rights. This can prove difficult in practice since class actions are not permitted in Hong Kong and individual losses may not be sufficient to justify a data subject bringing a claim.
-
Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?
Yes. Section 66 of the PDPO provides that a data subject may commence civil proceedings against a data user who contravenes the PDPO to seek compensation if they can show that the contravention caused damage.
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual damage to have been sustained, or is injury to feelings, emotional distress or similar sufficient for such purposes?
Yes. The general rule is that damages must compensate for actual loss, but s.66(2) of the PDPO also allows for claims for damages in respect of injury to feelings. The quantum of damages is fact-sensitive to be decided in each case.
-
How are data protection laws in your jurisdiction enforced?
Generally, data protection laws are enforced by the PCPD which exercises both investigative and enforcement powers. Responsibility for enforcement of cybersecurity related criminal laws mainly falls to the Hong Kong Police Force, particularly the CSTCB. The Hong Kong Police Force also has close ties with Interpol to assist with cross-border enforcement.
The PCPD’s investigative powers
The PCPD may conduct an investigation where it (i) receives a complaint on a possible breach of PDPO; or (ii) has reasonable grounds to believe that there may be a contravention of the PDPO (s.38 of the PDPO). Although the PCPD has a statutory obligation to conduct an investigation upon receipt of a complaint, the PCPD may refuse to conduct, or can decide to terminate, an investigation initiated by a complaint under certain circumstances (s.39 of the PDPO) including:
- the complainant has known about the act complained of for more than 2 years immediately preceding the date of receipt of the complaint;
- the complaint is made anonymously;
- the complaint is substantially similar in nature to a previously initiated investigation in which the PCPD found no contravention of PDPO; or
- the PCPD is of the opinion that an investigation is unnecessary.
In practice, before starting a formal investigation the PCPD may conduct an informal ‘compliance check’.
The PCPD has a range of formal investigative powers, including power to enter premises for investigation with a warrant or with prior written notice (s.42 of the PDPO) and to require production of documents for the purpose of an investigation (s.44 of the PDPO). The PCPD may also carry out proactive inspections of any personal data system for the purpose of making recommendations to a data user (s.36 of the PDPO). The Amendment Ordinance also contains additional investigation powers in respect of the two-tier doxxing offences. The PCPD may issue written notices to persons who may be able to assist the PCPD’s investigation to require the provision of materials and assistance (s.66D of the PDPO). The PCPD may also enter premises for investigation without a warrant and seize evidence stored on electronic devices (including the power to access, seize, decrypt, search and reproduce the device) (s.66G of the PDPO).
The PCPD’s enforcement powers
The PCPD generally has no direct power to sanction a breach of a DPP, although breach of certain provisions of the PDPO (about which see question 44 below) is a criminal offence, punishable by fines and/or imprisonment. This includes where a data user contravenes the requirements of an enforcement notice. Where a breach of a section of the PDPO is a criminal offence, the PCPD may refer the matter to the Hong Kong Police Force to investigate.
The PCPD is considering with the HKSAR Government whether to introduce a direct administrative fining power for the PCPD.
The PCPD may publish enforcement reports of its investigations or inspections (on its website) if it considers that it is in the public interest to do so (s.48(2) of the PDPO). If the PCPD finds a breach of the PDPO after conducting an investigation, it may issue a written enforcement notice requiring the data user to take remedial or preventive steps (s.50 of the PDPO).
If a data subject has suffered damage from a breach of the PDPO, the PCPD may also grant legal assistance to a data subject to institute proceedings against the relevant data user for compensation (s.66B of the PDPO).
An officer authorised by the PCPD may, without warrant and with the use of reasonable force, stop, search and arrest any person whom the officer reasonably suspects to have committed doxxing-related offences under the PDPO.
-
What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?
Sanctions under the PDPO
Depending on the section of the PDPO, a person committing an offence may be liable to a fine of up to HKD10,000 – HKD1,000,000 (approx. US$1,300 – US$1.3 million) and/or imprisonment for up to 6 months – 5 years.
Below are some examples of criminal offences under the PDPO and their respective penalties:
- a data user using personal data in direct marketing without the data subject’s consent (s.35E(4) of the PDPO) or without giving notice to the data subject (s.35C(5) of the PDPO) is liable to a fine of up to HKD500,000 and imprisonment for up to 3 years;
- a data user providing personal data to a third party for direct marketing purposes in exchange for gain, without giving notice to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.35J of the PDPO);
- a data user contravening an enforcement notice is liable to (s.50A of the PDPO):
- on first conviction – a fine of up to HKD50,000 and imprisonment for up to 2 years, and a daily penalty of HKD1,000 if the offence continues; and
- on subsequent convictions – a fine of up to HKD100,000 and imprisonment for up to 2 years, and a daily penalty of HKD2,000 if the offence continues;
- a data user failing to comply with the requirements of the PCPD in exercising its powers under the PDPO is liable to a fine of up to HKD10,000 and imprisonment for up to 6 months (s.50B, PDPO); and
- any person disclosing personal data obtained, without consent from the data user with intent to gain or cause loss to the data subject, or where the disclosure causes psychological harm to the data subject, is liable to a fine of up to HKD1,000,000 and imprisonment for up to 5 years (s.64 of the PDPO).
Doxxing offence
The sanctions introduced by the Amendment Ordinance in relation to the two-tier doxxing offences are set out in question 1 above. From the effective date (8 October 2021) of the relevant provisions to 31 December 2023, the PCPD initiated 254 criminal investigations, and 63 cases were referred to the Hong Kong Police Force for further follow-up actions. The PCPD has also mounted a total of 42 arrest operations in the same period (including three arrests made as joint operations with the Hong Kong Police Force) and arrested 43 suspects.
As at the end of the first quarter in 2024, there are 6 reported convictions for doxxing offences. The PCPD reported that doxxing messages on the Internet had reduced by around 80% because of the PCPD’s strenuous efforts in combatting doxxing acts.
Sanctions under various statutory provisions concerning cybersecurity
Contravention of the statutory provisions concerning cybersecurity carries a range of punishments that can be severe, depending on the seriousness of the crime, for example:
- Knowingly causing a computer to obtain unauthorised access to any program or data on another computer by telecommunications (s.27A Telecommunications Ordinance (Cap 106)) carries a maximum penalty of HKD25,000;
- Destroying or damaging any program or data held on a computer or computer storage medium (s.60 Crimes Ordinance (Cap 200)) carries a penalty of 10 years’ imprisonment;
- Obtaining access to a computer with a view to dishonest gain (s.161(1) Crimes Ordinance (Cap 200)) carries a maximum penalty of 5 years; and
- A perpetrator convicted of theft of computer data (s.9 Theft Ordinance (Cap 210)) or false accounting (s.19) will be sentenced to 10 years’ imprisonment, whilst burglary (s.11), fraud (s.16A) and blackmail (s.23) attract sentences of 14 years’ imprisonment.
-
Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?
The PCPD has prepared a table (https://www.pcpd.org.hk/misc/files/table2_e.pdf) summarising the various offences under PDPO and their respective penalties.
Industry-specific regulators also have their own powers to enforce any breach of their own regulatory framework, and to impose sanctions applicable to the relevant regulatory breach.
-
Can controllers operating in your jurisdiction appeal to the courts against orders of the regulators?
An appeal against an enforcement notice issued by the PCPD can be made to the Administrative Appeals Board within 14 days after the notice is served (s.39 of the PDPO).
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
In briefings to the Hong Kong Legislative Council in 2024, the PCPD has stated the following, among others, form its strategic focus in 2024:
- robust enforcement – the PCPD will strengthen its internal training on cyber-crime investigation and digital forensic examination to ensure that it can more effectively conduct criminal investigation and collection of evidence on a “one-stop” basis. In parallel, it will continue to raise public awareness through promotion and education to curb doxxing acts. It will also proactively carry out compliance checks and investigations;
- promoting data security, strengthening education – the PCPD launched the Data Security thematic webpage, a “Data Security Scanner” and the data security hotline in 2023. The PCPD will continue with its publicity and public education work in different aspects and scales, including using data security as the theme in the annual flagship event “Privacy Awareness Week”;
- addressing the challenges posed by the development of emerging technologies – the PCPD intends to publish an AI governance framework in 2024, together with a compliance check report regarding the processing of personal data in the development or use of AI systems and provide practical advice to those organisations from the perspective of personal data protection. The PCPD has also issued leaflets on the use of smartphones (https://www.pcpd.org.hk/english/resources_centre/publications/files/leaflet_smartphones_e.pdf) and social media (https://www.pcpd.org.hk/english/resources_centre/publications/files/smart_on_socialmedia.pdf) in March 2024, and will continue to advocate the implementation of Personal Data Privacy Management Program in 2024; and
- legislative amendments to the PDPO – the PCPD and the Government will consult the Legislative Council Panel on Constitutional Affairs of the specific legislative proposals concerning the PDPO at an appropriate juncture (without setting a specific timeframe).
-
Are there any proposals for reforming data protection laws in your jurisdiction currently under review? Please provide an overview of any proposed changes and the legislative status of such proposals.
Proposed amendments to the PDPO
The PDPO has been under review since the publication of a government paper in January 2020 (LC Paper No CB(2)512/19-20(03)), to strengthen the protection of data subjects. The proposed reforms include:
- establishing a mandatory data breach notification mechanism – to require the data user to (a) report data breaches as soon as practicable and, in any event, in not more than five business day, and (b) notify the impacted individuals where necessary;
- requiring data users to formulate an express and clear data retention policy – to specify a retention period for the personal data collected;
- empowering the PCPD to impose administrative fines for breaches of the PDPO – to raise the fine levels according to the annual turnover of the data user; and
- introducing direct regulation of data processors – to extend the obligation to protect personal data on data users as well as data processors.
In February 2024, the PCPD provided the Legislative Council Panel on Constitutional Affairs with an update on the specific legislative proposals concerning the PDPO. However, the PCPD did not confirm whether the relevant legislative amendment exercise would be carried out within 2024.
Enactment of cyber-dependent crimes
Currently, no single ordinance in Hong Kong deals with cybercrime specifically.
On 20 July 2022, the Cybercrime Sub-committee of the Law Reform Commission published a consultation paper on cyber-dependent crimes and jurisdictional issues (https://www.hkreform.gov.hk/en/docs/cybercrime_e.pdf). The consultation paper sets out preliminary proposals for law reform by enacting a piece of bespoke legislation on cybercrime that will include the following five offences:
- illegal access to program or data;
- illegal interception of computer data;
- illegal interference of computer data;
- illegal interference of computer system; and
- making available or possessing a device or data for committing a crime.
The purpose of the law reform is to address the challenges to protection of individuals’ rights caused by the rapid developments associated with information technology, the computer and internet, and the potential for them to be exploited for carrying out criminal activities.
The consultation period ended on 19 October 2022. As at the end of the first quarter of 2024, the HKSAR Government has yet to provide its official response to the consultation nor has the Law Reform Commission published the consultation conclusions.
The consultation paper on cyber-dependent crimes and jurisdictional issues is the first part of the project. The second part will cover cyber-enabled crimes and attempt to address the macro challenges in the digital age, including data sovereignty, whereas the third part will deal with evidentiary and enforcement (procedural) issues.
There is currently no timetable on the publication of the remaining parts of the consultation papers. Anyone considering their rights and obligations under Hong Kong laws should check the status of the proposed amendments.
Hong Kong: Data Protection & Cybersecurity
This country-specific Q&A provides an overview of Data Protection & Cybersecurity laws and regulations applicable in Hong Kong.
-
Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered by them; what sectors, activities or data do they regulate; and who enforces the relevant laws).
-
Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2024–2025 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments (together, “data protection laws”))?
-
Are there any registration or licensing requirements for entities covered by these data protection laws, and if so what are the requirements? Are there any exemptions?
-
How do these data protection laws define “personal data,” “personal information,” “personally identifiable information” or any equivalent term in such legislation (collectively, “personal data”) versus special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction?
-
What are the principles related to the general processing of personal data in your jurisdiction? For example, must a covered entity establish a legal basis for processing personal data, or must personal data only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
-
Are there any circumstances for which consent is required or typically obtained in connection with the general processing of personal data?
-
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
-
What special requirements, if any, are required for processing sensitive personal data? Are any categories of personal data prohibited from collection or disclosure?
-
How do the data protection laws in your jurisdiction address health data?
-
Do the data protection laws in your jurisdiction include any derogations, exclusions or limitations other than those already described? If so, please describe the relevant provisions.
-
Do the data protection laws in your jurisdiction address children’s and teenagers’ personal data? If so, please describe how.
-
Do the data protection laws in your jurisdiction address online safety? Are there any additional legislative regimes that address online safety not captured above? If so, please describe.
-
Is there any regulator in your jurisdiction with oversight of children’s and teenagers’ personal data, or online safety in general? If so, please describe, including any enforcement powers. If this regulator is not the data protection regulator, how do those two regulatory bodies work together?
-
Are there any expected changes to the online safety landscape in your jurisdiction in 2024–2025?
-
Does your jurisdiction impose ‘data protection by design’ or ‘data protection by default’ requirements or similar? If so, please describe the requirement(s) and how businesses typically meet such requirement(s).
-
Are controllers and/or processors of personal data required to maintain any internal records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).
-
Do the data protection laws in your jurisdiction require or recommend data retention and/or data disposal policies and procedures? If so, please describe such requirement(s).
-
Under what circumstances is a controller operating in your jurisdiction required or recommended to consult with the applicable data protection regulator(s)?
-
Do the data protection laws in your jurisdiction require or recommend risk assessments in connection with data processing activities and, if so, under what circumstances? How are these risk assessments typically carried out?
-
Do the data protection laws in your jurisdiction require a controller’s appointment of a data protection officer, chief information security officer, or other person responsible for data protection, and what are their legal responsibilities?
-
Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s).
-
Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).
-
Do the data protection laws in your jurisdiction draw any distinction between the controllers and the processors of personal data, and, if so, what are they?
-
Do the data protection laws in your jurisdiction place obligations on processors by operation of law? Do the data protection laws in your jurisdiction require minimum contract terms with processors of personal data?
-
Are there any other restrictions relating to the appointment of processors (e.g., due diligence, privacy and security assessments)?
-
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these terms defined, and what restrictions on their use are imposed, if any?
-
Please describe any restrictions on targeted advertising and/or cross-contextual behavioral advertising. How are these terms or any similar terms defined?
-
Please describe any data protection laws in your jurisdiction addressing the sale of personal data. How is the term “sale” or such related terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing telephone calls, text messaging, email communication, or direct marketing. How are these terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined, and what restrictions are imposed, if any?
-
Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (“AI”).
-
Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)
-
What security obligations are imposed on data controllers and processors, if any, in your jurisdiction?
-
Do the data protection laws in your jurisdiction address security breaches and, if so, how do such laws define a “security breach”?
-
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecom, infrastructure, AI)?
-
Under what circumstances must a business report security breaches to regulators, impacted individuals, law enforcement, or other persons or entities? If breach notification is not required by law, is it recommended by the applicable regulator in your jurisdiction, and what is customary in this regard in your jurisdiction?
-
Does your jurisdiction have any specific legal requirements or guidance for dealing with cybercrime, such as in the context of ransom payments following a ransomware attack?
-
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
-
Do the data protection laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, any exceptions and any other relevant details.
-
Are individual data privacy rights exercisable through the judicial system, enforced by a regulator, or both?
-
Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?
-
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual damage to have been sustained, or is injury to feelings, emotional distress or similar sufficient for such purposes?
-
How are data protection laws in your jurisdiction enforced?
-
What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?
-
Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?
-
Can controllers operating in your jurisdiction appeal to the courts against orders of the regulators?
-
Are there any identifiable trends in enforcement activity in your jurisdiction?
-
Are there any proposals for reforming data protection laws in your jurisdiction currently under review? Please provide an overview of any proposed changes and the legislative status of such proposals.