Data protection in Hong Kong – compliance with data protection principles as a success factor

published on 13 June 2023 | reading time approx. 5 minutes

Hong Kong's data protection law, the Personal Data (Privacy) Ordinance (PDPO), was adopted in 1995 and entered into force in December 1996. That makes it one of the oldest data protection laws in East Asia. In 2012 and 2021, the law was substantially amended and modified.

The PDPO's scope of application extends to both the private and public sectors. The law is technology-neutral, meaning that it is independent of the technology used in data processing. The law is based on six key data protection principles (DDPs), which regulate the collection, processing, and use of personal data.

To better understand the following remarks on the PDPO and DPPs, certain important terms used in the law are first defined in more detail.

Term	Definition according to PDPO
Personal data	Information that relates to a living person and can be used to identify that person Presence of the data in a form that practically allows access or its processing
Data subject	The person who is the subject of the personal data.
Data user	Person who, either alone or jointly with others, controls the collection, possession, processing, or use of personal data.
Data processing	In relation to personal data, the modification, completion, deletion, or transformation of the data by automated means or otherwise.
Data processor	Person who processes personal data on behalf of another person (a data user) and not for his or her own purposes No specific provisions for data processors in the PDPO Obligation for data users to ensure, by contractual or other means, that data processors (as third parties) comply with the provisions of the PDPO

The six data protection principles

Principle 1 – Purpose and method of collection

According to the first principle (DPP1), personal data may only be collected for a legitimate purpose that is directly related to a function or activity of the data user. The data collected must be necessary and adequate for that purpose and should not go beyond that purpose. Personal data must be collected by means that are lawful and reasonable under the circumstances.

When personal data is collected, the data subject must be informed whether the data is provided voluntarily or collected on a mandatory basis, for what purpose the data is used and to which groups of persons the data may be disclosed. The data subject must also be informed about his or her rights to access and to correct or rectify his or her data.

Principle 2 - Accuracy and duration of retention

Principle 2 (DDP2) requires data users to take all reasonable and practicable steps to ensure that personal data is accurate. In addition, it should be ensured that the data is not kept longer than is necessary to fulfill the purpose for which the data is used. If the data user engages a data processor, the data user must ensure that the data processor complies with the said retention period requirements. In this regard, it is important to note Article 26 PDPO, which requires data users to take all practicable steps to delete personal data that is no longer necessary for the purpose for which the data is used, unless deletion is prohibited by law or is not in the public interest.

Principle 3 - Use of data

Pursuant to Principle 3 (DPP3), personal data may not be used for new purposes that are inconsistent or unrelated to the original purpose for which the data was collected without the express and voluntary consent of the data subject. The data subject/individual may revoke previously given consent by written notice.

When using personal data for direct marketing purposes, there must be informed and explicit consent from the data subject. Being silent does not constitute consent. "Informed" consent means that consent must be given on an informed basis, i.e., the data user must inform the data subject about the purpose of the data use (direct marketing), the type of data to be used, the data subject's consent requirement, the right to revoke and other aspects of the intended data use. Failure to comply with the direct marketing/direct advertising regulations is a criminal offense and may be punishable by a fine of up to HK$500,000 and imprisonment for three years, or a fine of up to HK$1,000,000 and imprisonment for five years if the data has been disclosed to third parties for commercial purposes.

Principle 4 - Data security

Principle 4 (DPP4) sets out the requirements for data security. Data users are required to take all practicable steps to protect personal data in their possession against unauthorized or accidental access, processing, deletion, loss, or use. This includes consideration of the nature of the data, the potential damage in the event of a security incident, and measures to ensure the integrity, diligence, and competence of those authorized to access the data. Data users must contractually obligate data processors to comply with these requirements.

Principle 5 - Openness and transparency

Principle 5 (DPP5) requires data users to ensure that individuals are informed about the rules and practices for handling personal data. This includes disclosure of the type of personal data stored and the main purpose of its use by the data user.

Principle 6 - Access and correction

In accordance with Principle 6 (DPP6), data subjects have the right to request access to their own personal data. If the data is incorrect, it must be corrected at the data subject's request. Chapter 5 of the PDPO contains detailed rules in this regard, including the procedure for processing such requests, the time limits for processing, and the circumstances under which such a request may be refused.

Summary of the principles

The data protection principles aim to ensure that personal data is collected only with the informed consent of the data subject and in a fair and necessary manner. Collected data must be processed securely and kept only for the duration of the purposes for which it was collected. The use of data is limited to the original purpose and can only be changed or extended with the explicit consent of the data subject. Data subjects have the right to access their data and correct it.

Exceptions

The PDPO provides for exceptions to certain requirements, e.g., for the prevention and prosecution of criminal offenses, for the protection of public safety, for statistical and research purposes, and in the health care sector. In addition, exceptions may be granted by court order, e.g., for the exercise and defense of legal claims.

A data user may rely on an exception to avoid liability under the PDPO. It is important to note, however, that the existence of an exception is generally assessed on a case-by-case basis. Therefore, data users should not automatically assume that an exemption applies to them. It is advisable to carefully examine the individual circumstances and not routinely rely on the existence of an exception.

Office of the Privacy Commissioner for Personal Data as the competent authority

The PDPO provides for the establishment of the Office of the Privacy Commissioner for Personal Data as the public data protection authority. Possible violations of the PDPO by a data user may be reported by individuals to the Privacy Commissioner, who may further investigate and order or take remedial and/or preventive measures as he or she deems appropriate. Failure by a data user to comply with such orders constitutes a criminal offense and may be punishable by a fine or even imprisonment for up to two years. In addition, the PDPO itself contains penalty provisions in the event of a breach of its provisions, for example in Chapter 26 PDPO (deletion of personal data) or Chapter 64 (regulations on direct marketing). The Privacy Commissioner has the right to initiate criminal investigations on his or her own and, at his or her discretion, to involve the police or other authorities. The Privacy Commissioner may also proactively conduct inspections of data users.

Compensation for damages

If a data user violates the provisions of the PDPO and causes damage to a person as a result, the harmed person may claim compensation from the data user. In this regard, the data subject may also resort to the Privacy Commissioner. The Privacy Commissioner may, at his or her own discretion, provide legal assistance to the aggrieved party.

Practical implications

In practice, companies rarely have the opportunity to circumvent the collection of personal data in the course of their business activities. It is therefore advisable to establish an internal company data protection policy that reflects the requirements of the six data protection principles and implements them within the company. When engaging a data processor, it should also be ensured that the requirements of the data protection principles are reflected in a corresponding contract between the company as data user and the data processor. The data processor should be subject to the relevant obligations.