Hong Kong: The public debate on privacy issues: Hong Kong privacy law update

Last Updated: 17 August 2012
Article by Jill Wong

Reform of the Personal Data (Privacy) Ordinance - has the right balance been struck?

The Personal Data (Privacy) Ordinance (PDPO) was enacted in 1995 to protect privacy rights of individuals.  However, it is only in the past two years that privacy and data protection issues have been in the public eye.  The Privacy Commissioner (PCO) has been increasingly active, following what he has recently described as "a series of privacy catastrophes". Please see our Client Alert dated 3 November 2010 for comments on the Octopus and Wing Lung cases.

Media attention and public concerns have provided further impetus to the current efforts to reform the PDPO. After several public consultations, the Hong Kong Government introduced proposed amendments to the PDPO to Hong Kong lawmakers, by way of the Personal Data (Privacy) (Amendment) Bill (Bill), in July 2011. These amendments address a number of topical issues: direct marketing, the unauthorised sale or disclosure of personal data, repeat offenders and service providers who process personal data. However, the Bill does not include, as the PCO had hoped for, powers for the PCO to award compensation to aggrieved data subjects or impose fines for serious breaches of the data protection principles in the PDPO. It remains to be seen if lawmakers will take up these issues, or other issues which were initially discussed during the consultation process but dropped in the Bill.

Data subjects (individuals who provide personal data to others) will welcome the measures proposed by the Bill.  However, data users (anyone who collects or uses personal data) will face more constraints in the ways in which they collect or use data and be liable to more serious sanctions.  The question remains as to whether the right balance has been found or will there be further changes during the course of the legislative process?

What are the material changes?

1. Tighter controls over the collection and use of personal data in direct marketing

Data subjects must be informed before their personal data is used for direct marketing and given an opportunity to object.  A data user who ignores objections will be subject to a fine of HK$500,000 and 3 years imprisonment.

2. Stiff penalties for questionable uses of personal data

The Bill addresses two suspect practices: (a) the sale of personal data without prior notice or in breach of an objection to the sale, and (b) disclosure of personal data for profit or malicious purposes without consent.  The  penalties are the same in both cases: a fine of HK$1,000,000 and 5 years imprisonment.

3. Expect more challenges from aggrieved data users

The Bill will empower the PCO to provide legal assistance to aggrieved data users in specified circumstances.

4. Heavier penalties for repeat offenders

Repeat offenders will be liable to increased fines and imprisonment.

5. Supervision of data processing

Data users who use third party service providers for data processing (data processors) will be required to ensure these data processors comply with the PDPO.

We look at these changes in more detail below.

Direct Marketing

There is already a provision dealing with direct marketing - section 34 of the PDPO.  After the Octopus incident, it became clear the provision did not adequately deter questionable practices.  In October 2010, the PCO issued a Guidance Note on the Collection and Use of Personal Data in Direct Marketing; the Bill now follows through with specific requirements for the use of personal data for direct marketing purposes.

Before personal data can be used or provided (otherwise than by sale) for direct marketing, the data subject must be informed about the following:

  • the kinds of personal data that will be used or provided;
  • the classes of persons to which the data will be provided; and
  • the classes of goods or services that will be marketed.

In addition, an "opt-out" mechanism for the data subject must be provided.  If the data subject objects, the data user will stop its use or provision of personal data.

Penalties for contravention will be a fine of HK$500,000 and imprisonment for 3 years.

Sale or Disclosure of Personal Data

These new provisions impose specific requirements on data users who sell personal data and will heavily penalise the unauthorised sale or disclosure of personal data.

Firstly, before a sale (defined as the provision of personal data for gain in money or other property) can occur, the same protective measures as for direct marketing must be implemented.  That is, the data subject must be informed about:

  • the kinds of personal data that will be sold;
  • the classes of persons to which the data will be sold; and
  • where the data is used in direct marketing, the classes of goods or services that will be marketed.

Similarly, an "opt-out" mechanism for the data subject must be provided.

Secondly, where a person obtains personal data without consent and subsequently discloses it for gain or malicious purposes (described as disclosure "with an intent to cause loss to the data subject" or "causing psychological harm to the data subject"), this will be an offence.

The penalty for each of these offences is a fine of HK$1,000,000 and imprisonment for 5 years.

More challenges and complaints

The PDPO currently enables an aggrieved data subject who suffers damage due to a contravention of the PDPO to seek compensation. Under the Bill, the PCO will be able to provide legal assistance to the data subject. Accordingly, where a case raises a question of legal principle or is difficult for the applicant to deal with unaided (for example, if there are  complex legal issues), the PCO can assist by providing legal advice or arranging for one of his in-house lawyers or external counsel to act for the applicant in legal proceedings. 

We make three observations here. The first is the introduction of another provision in the Bill -  a usual provision for regulatory authorities - providing the PCO and his officers with immunity from legal liability where they have acted in good faith.  The second, more important, observation is that the PCO's effective partnering with other regulators (notably the financial regulators, such as the Hong Kong Monetary Authority, who issued 3 circulars in the 3 months after the PCO's report on the Octopus incident) has brought about quick changes to banks' practices in the use of personal data of their customers.  Finally, the very recent prosecution and successful conviction of OnCard Limited for a breach of section 34 on 25 July, demonstrates the PCO's willingness to pursue criminal sanctions.

In conclusion, expect more challenges, complaints and regulatory inquiries (and not necessarily from the PCO) if you are a data user.

Supervision of Data Processors and Sub-Contractors

Presently, a data processor is not treated as a data user if he only holds, processes or uses personal data solely on behalf of the another person, and not for his own purpose.  Accordingly, he is not required to comply with the requirements of the PDPO.  The Bill will require the data user to use contractual or other means to ensure that its data processors and sub-contractors, whether within Hong Kong or offshore, comply with the requirements under the PDPO.

Repeat Offenders

A new offence will be introduced for data users who, having complied with the directions in an enforcement notice, subsequently and intentionally do the same act or engage in the same practice. The penalty will be the same as for breaching an enforcement notice i.e. liability to a HK$50,000 fine and 2 years imprisonment.

A new provision will impose a heavier penalty for repeated non-compliance with an enforcement notice.  The increased penalty will be a fine of HK$100,000, with the same period of imprisonment (that is, 2 years), and, in the case of a continuing offence, a daily fine of HK$2,000.

What action should you take?

Realise that data privacy is a hot topic: make it a priority

  • Have internal procedures that clearly set out your policies about the collection and use of personal data;
  • Monitor compliance with such internal policies;
  • Make senior management and staff who handle personal data aware of the issues and your internal policies;
  • Have a plan to deal with potential data breaches - including how you will handle the PCO, your other regulators, your clients and the media.

Direct marketing: assess the extent to which your business depends on it

  • If these activities are integral to your business, start thinking about how you will handle the new requirements;
  • Change drafting style: do not use technical language, complicated formatting or small font. The Bill, and the PCO, expects you to present information to data subjects in a manner that is easily readable and understandable.

Review your arrangements with your service providers

  • Know the types and the extent to which your service providers hold or process personal data for your business
  • Know how your service providers handle personal data, do they:
    • have capable people and adequate systems and controls;
    • sub-contract;
    • segregate your customers' personal data from the data of other organisations for whom they provide services?
  • Review your contracts with your service providers, do they:
    • set out service levels;
    • allow you to terminate or take appropriate action for breach?

Navigate the regulatory minefield

  • Refer to our November 2010 Alert for our 10 practical steps to strengthen your privacy terms. 
  • Read some of the topical PCO publications : Collection and Use of Customer's Personal Data by ICBC/Wing Hang Bank/Citibank/Fubon Bank, all issued June 2011; Guidance Note on the Collection and Use of Personal Data in Direct Marketing issued October 2010 and Guidance on Data Breach Handling and the Giving of Breach Notifications issued June 2010.  Click here for a link to the PCO's website.  You should expect the PCO to be on the lookout for organisations who are ignorant of these issues.
  • Bite the bullet.  If your privacy terms or internal controls are inadequate for your business and operational needs, make the necessary changes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions