Answer ... The primary legislation that governs data protection issues in Hong Kong is the Personal Data (Privacy) Ordinance (Cap 486). The ordinance aims to protect the privacy of personal data and states that data users must not contravene the data protection principles enunciated therein.

According to the privacy commissioner for personal data, fintech companies should:

• have privacy policies which are transparent and easy to understand;
• collect and retain only the minimum amount of personal data required; and
• provide consumers with clear and genuine options regarding the collection and use of personal data.

Currently, there is no specific ordinance on cybercrime in Hong Kong. Accordingly, cases involving the theft of information and breaches of privacy through the use of a computer are often covered by the general offence of “access to a computer with criminal or dishonest intent” under Section 161 of the Crimes Ordinance (Cap 200). Much criticism has been levied against the excessive use of this charge, which goes far beyond the original purpose of the law.

Since the Court of Final Appeal’s decision in Secretary for Justice v Cheng Ka Yee [2019] HKCFA 9, it is now the legal position that the charge will not apply to the use by a person of his or her own computer which does not involve access to another’s computer. Therefore, it is foreseeable that the charge will be limited to hacking and cyber fraud involving third-party computers.

Answer ... The primary legislation governing cybersecurity in Hong Kong includes traditional criminal statutes such as the Crimes Ordinance and the Personal Data (Privacy) Ordinance (Cap 486). The Hong Kong Police Force also has a specialist Cyber Security and Technology Crime Bureau, which handles cyber-related crimes.

As mentioned in question 5.1, the general offence of “access to a computer with criminal or dishonest intent” under Section 161 of the Crimes Ordinance (Cap 200) was previously used to prosecute all computer-related crimes. However, due to the clarification recently provided by the Hong Kong Court of Final Appeal, the scope of this charge has been narrowed considerably. This may provide an incentive for the legislature to introduce dedicated new legislation on technology crime and cybersecurity.

The Hong Kong Association of Banks has also established a platform to share cybersecurity threats and the Hong Kong Money Authority has indicated that non-bank financial institutions may utilise the platform. Fintech companies should guard against cybersecurity risks and those carrying on regulated activities must comply with the circulars on cybersecurity published by the Securities and Futures Commission.