The Personal Data (Privacy) Ordinance (Cap. 486) ("Ordinance") regulates the collection and handling of personal data. Enforcement is through the Office of the Privacy Commissioner for Personal Data ("PCPD").

The Ordinance was recently amended by the Personal Data (Privacy) (Amendment) Bill ("Bill") in July 2012. Most of the amendments introduced by the Bill came into force on 1 October 2012. However, two major areas, namely new restrictions against the use and provision of personal data in direct marketing and new powers of the PCPD to provide legal assistance to persons in civil proceedings, are not in force at the time of writing (but are expected to come into force in 2013).


"Personal Data" is defined in the Ordinance as any data:

  • relating directly or indirectly to a living individual;
  • from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
  • in a form in which access to or processing to the data is practicable.


The concept of sensitive personal data does not apply in Hong Kong.


The Office of the Privacy Commissioner for Personal Data

The PCPD is responsible for overseeing compliance with the Ordinance.


Currently, there is no requirement for the registration of data users in Hong Kong.

However, under the Ordinance the PCPD has the power to specify certain classes of data users to whom registration and reporting obligations apply. Under the Data User Return Scheme ("DURS"), data users belonging to the specified classes are required to submit data returns containing prescribed information to the PCPD, which will compile them into a central register accessible by the public. However, at the time of writing, no register has been created to date. The PCPD has proposed to implement the DURS in phases, with the initial phase covering data users from the following sectors and industries:

  • the public sector;
  • banking, insurance and telecommunications industries; and
  • organisations with a large database of members (e.g. customer loyalty schemes).

A public consultation for the DURS by the PCPD was concluded in September 2011. The PCPD had originally planned to implement the DURS in the second half of 2013 but the exact time-frame for implementation has yet to be announced.


Currently, there is no requirement for data users to appoint a data protection officer in Hong Kong.


A data user may collect personal data from data subjects if:

  • the personal data is related to a function of the data user;
  • the collection is necessary, lawful and fair;
  • the data collected is not excessive; and
  • the data user has been informed of the following:
    • whether the provision of personal data by data subjects is mandatory and the consequence(s) for not supplying the data;
    • the purposes for which the data will be used;
    • the persons to whom the data may be transferred;
    • the data subjects' right to request for access and/or correction their personal data; and
    • the contact details of the person to whom requests for access or correction should be sent.

Data users may only use and process personal data for purposes for which the data was collected. Any usage of personal data for new purposes requires the prescribed consent of the data subject concerned.


Data users may not transfer personal data to third parties, unless the data subjects have been informed of the following before their personal data was collected:

  • that their personal data may be transferred; and
  • the classes of persons to whom the data may be transferred.

There are currently no restrictions for transfer of personal data outside of Hong Kong. Although such restrictions are set out in the Ordinance, they are currently not in force.


Data users are required by the Ordinance to take all practicable steps to protect personal data against unauthorised or accidental access or loss. The steps which are considered appropriate depend on the nature of the personal data and the harm that could result if data breaches or leaks were to occur.

Under the new amendments to the Ordinance, where the data user engages a data processor to process personal data on its behalf, the data user must use contractual or other means to:

  • prevent unauthorised or accidental access, processing, erasure, loss of use of the personal data; and
  • ensure that the data processor does not retain the personal data for longer than necessary.


Currently, there is no mandatory requirement for data users to notify authorities or data subjects about data breaches in Hong Kong.


The PCPD is responsible for enforcing the Ordinance. If a data user is found to have contravened the data protection principles of the Ordinance, the PCPD may issue an enforcement notice requiring the data user to take steps to rectify the contravention. Failure to abide by the enforcement notice is a criminal offence, punishable by a fine of up to HK$ 50,000 and imprisonment for up to 2 years. In the case of subsequent convictions, additional and more severe penalties apply. Contravention of other requirements of the Ordinance is also an offence.

In particular, breach of new provisions relating to direct marketing (which at the time of writing has yet to come into effect) is punishable by a fine of HK$ 1,000,000 and imprisonment of up to 5 years, depending on the nature of the breach.

In addition to criminal sanctions, data subjects aggrieved by contravention of the Ordinance may also seek compensation from the data user through civil action.


The Ordinance was amended in 2012 to include, amongst other things, provisions regulating the use and provision of personal data for purposes of direct marketing which may be conducted by any means (electronic or otherwise). These provisions are expected to come into effect some time in 2013.

The new amendments generally require data users who wish to either use or provide personal data for direct marketing purposes to make specific disclosures to the data subjects and obtain consents for such actions. The disclosures include:

  • a statement of intention to use/provide their personal data for direct marketing;
  • a statement that the data user may not use/provide the personal data without the data subjects' consent;
  • a dedicated channel via which the data subjects may give such consent;
  • the kind(s) of personal data to be used/provided;
  • the class(es) of persons to whom the personal data may be provided;
  • the class(es) of goods/services to be direct marketed; and
  • a statement that the personal data may be provided for gain, if applicable.

Furthermore, if the consent was given orally, data users have the additional obligation to send a written confirmation to the data subject confirming the particulars of the consent received. In addition, when data users use personal data for the purposes of direct marketing for the first time, they must inform the subjects that they may opt-out at any time, free of charge.


The principles as stated in the Ordinance also apply in the online environment. For example, under the Ordinance, data users have the obligation to inform data subjects of the purposes for collecting their personal data. If a website uses cookies to collect personal data from its visitors, this should be made known to them. Data users should also inform the visitors whether and how non-acceptance of the cookies will affect the functionality of the website.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to