1. Legal and enforcement framework
1.1 Which legislative and regulatory provisions govern social media in Hong Kong?
The most relevant legislative and regulatory provisions in respect of social media are the following:
- the Personal Data (Privacy) Ordinance (Cap 486) (PDPO);
- the UEMO (Cap 593); and
- the Law of the People's Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region ("National Security Law").
1.2 Which bodies are responsible for enforcing the applicable laws and regulations in the social media sector? What powers do they have?
Office of the Privacy Commissioner for Personal Data (PCPD): The PCPD has the power to:
- monitor and supervise compliance with the provisions of the PDPO;
- promote and assist bodies representing data users to facilitate lawful and responsible use of personal data; and
- carry out inspections, including inspections of any personal data systems used by data users which are departments of the Hong Kong government or statutory corporations.
The Office for Safeguarding National Security of the Central People's Government in the Hong Kong Special Administrative Region ('CPG Office on National Security'): The CPG Office on National Security is the state security agency. Established in July 2020, it is responsible for overseeing, guiding, coordinating with and providing support to the Hong Kong government to safeguard national security in accordance with the National Security Law.
National Security Department of the Hong Kong Police Force: Subject to the approval of the secretary for security, the commissioner of police may authorise a designated officer to exercise powers to disable or remove electronic messages if the commissioner has reasonable grounds to suspect that:
- a person has published an electronic message on an electronic platform; and
- the publication is likely to constitute an offence endangering national security or is likely to cause the occurrence of an offence endangering national security.
Communications Authority: The Communications Authority is the body responsible for enforcing the UEMO in respect of unsolicited electronic messages. Under the UEMO, the Communications Authority's powers include the power to:
- approve codes of practice;
- establish do-not-call registers;
- impose financial penalties; and
- issue enforcement notices.
1.3 What is the general approach of those bodies in regulating the social media sector?
PCPD: The PCPD maintains the efficacy of the regulatory regime on personal data privacy, taking into account global standards for the protection of personal data privacy.
CPG Office on National Security: The CPG Office on National Security's general approach is reflected in Article 1 of the National Security Law and is, among other things, to safeguard national security.
Communications Authority: According to OFCA, the Communications Authority "adopts a light-handed and pro-competition approach"to its regulatory obligations.
1.4 What other industry codes of conduct or best practices are applicable in the social media sector?
PCPD: The PCPD may issue codes of practice, guidelines and guidance notes in respect of the PDPO and other relevant data privacy regulations in Hong Kong. Non-compliance with a code of practice can be used as proof of contravention of relevant requirements under the PDPO.
Communications Authority: The Communications Authority have issued codes of practice and guidelines for the purpose of providing practical guidance in respect of the application or operation of any provision of the UEMO.
2. Ownership
Who is eligible to provide services in the social media sector in Hong Kong? Are there any restrictions on foreign ownership? Do any domicile requirements apply? What other requirements or restrictions apply in this regard?
The provision of social media in Hong Kong is fully liberalised. There are no restrictions or requirements on foreign ownership for providing social media services in Hong Kong.
3. Authorisations/licences
What authorisations and/or licences are required to operate in the social media sector? Do any exemptions apply? Do these vary depending on the service to be provided?
No authorisations or licences are required for social media service providers to operate in Hong Kong.
4. Competition
4.1 What competition-related provisions (e.g., structural or functional separation requirements; significant market power requirements; media plurality rules) apply in the social media sector?
The Competition Ordinance (Cap 619) governs the competition-related provisions relevant to sound broadcasting, television broadcasting and print sectors, for which the first conduct rule and the second conduct rule apply. The first conduct rule prohibits anti-competitive agreements, concerted practices and decisions. The second conduct rule prohibits the abuse of market power.
4.2 To what extent can the national competition regulator intervene in the social media sector? What is the interplay between the competition regulator and the various sectoral regulators?
The Competition Commission enforces the Competition Ordinance (Cap 619) in respect of the conduct of undertakings operating in the social media sector. There is no specific social media sector regulator.
4.3 How are mergers and acquisitions in the social media sector treated from a competition perspective?
From a competition perspective, mergers and acquisitions are not treated differently in the social media sector from other sectors in the economy.
5. Data security and cybersecurity
5.1 What data security regimes apply in the social media sector?
The main legislative regime with provisions relating to data security is the Personal Data (Privacy) Ordinance (Cap 486) (PDPO).
Telecommunications providers are likely to be considered data users under the PDPO, and are subject to the obligations and requirements set out in the PDPO. A 'data user' means a person that, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.
The PDPO sets out six data protection principles (DPPs):
- DPP1: Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his or her personal data.
- DPP2: Personal data must be accurate and up to date, and kept for no longer than necessary.
- DPP3: Personal data should only be used for the purposes for which it was collected or a directly related purpose. Otherwise, the data user must obtain the 'prescribed consent' of the data subject.
- DPP4: The data user must have measures in place to ensure the confidentiality and security of personal data.
- DPP5: Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data is used.
- DPP6: Data subjects must be given a right to access their personal data and a right to correct it.
DPP4 is the most relevant in respect of data security and requires data users take all practical steps to protect the personal data they hold against unauthorised and accidental access, processing, erasure, loss or use. Data users must have particular regard to:
- the nature of the data;
- the potential harm if such events were to happen; and
- measures to ensure the integrity, prudence and competence of persons with access to the data.
If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent:
- any personal data transferred to the data processor from being kept for longer than necessary for processing the data; and
- unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.
The PCPD has published a guidance note for mobile service operators in respect of personal data concerns. The guidance covers recommended best practices in:
- handling mobile phone service applications;
- audio-recording customer conversations;
- maintaining customer service accounts;
- disclosing customer account data;
- protecting service account data; and
- engaging third-party agents and dealers.
Also, telecommunications operators that are licensees are prohibited from disclosing information about a customer, except with the consent of the customer in accordance with a prescribed form designated by the Communications Authority, except:
- for the prevention or detection of crime;
- for the apprehension or prosecution of offenders; or
- as may be authorised by or under any law.
5.2 What cybersecurity regimes apply in the social media sector?
Hong Kong does not have a single overarching cybersecurity law, though this will in the coming months with the coming into law of the Protection of Critical Infrastructure (Computer System) Bill. The communications and broadcasting sectors are designated as essential services under the Bill, and the Communications Authority will be designated authority to monitor ongoing obligations of those sectors with the planned statutory requirements.
Currently, offences relating to cybersecurity are contained in various laws.
Telecommunications Ordinance (Cap 106): The Telecommunications Ordinance (Cap 106) criminalises actions involving:
- damage to telecommunications infrastructure with intent;
- unauthorised access to computers by telecommunications; and
- transmission of false or deceptive distress messages.
Crimes Ordinance (Cap 200): The Crimes Ordinance (Cap 200) criminalises access to a computer with criminal or dishonest intent.
PDPO: The PDPO provides for offences for the disclosure of personal data without consent, among other things.
Unsolicited Electronic Messages Ordinance (Cap 593): This criminalises the initiation of transmissions of multiple commercial electronic messages from telecommunications devices that are accessed without authorisation and with the intent to deceive or mislead recipients as to the source of the messages.
Interception of Communications and Surveillance Ordinance (Cap 589): Subject to limited exceptions, it is unlawful for a public officer to carry out intercepting acts relating to communications. 'Intercepting acts' involve the inspection of some or all of the contents of the communication, in the course of its transmission by a postal service or by a telecommunications system, by a person other than its sender or intended recipient. One relevant exemption is that the prohibition does not apply to any interception of telecommunications transmitted by radiocommunications (other than the radiocommunications part of a telecommunications network for the provision of a public telecommunications service by any carrier licensee under the Telecommunications Ordinance (Cap 106)).
Enforcement: There is no single authority responsible for enforcing cybersecurity laws in Hong Kong. Rather, the competent enforcement authority will depend on the nature of the offence in question.
The Hong Kong Police Force is the enforcement authority for crime in Hong Kong. The Cybersecurity and Technology Crime Bureau is responsible for:
- handling cybersecurity issues;
- carrying out technology crime investigations and computer forensic examinations; and
- preventing technology crime.
The PCPD is the competent authority for regulation of personal data matters, and will conduct investigations and issue enforcement notices.
The commissioner on interception of communications and surveillance is responsible for overseeing compliance by law enforcement agencies and their officers with the relevant requirements under the ICSO.
Policy: At a policy level, information security and cybersecurity fall under the remit of the Office of the Government Chief Officer (OGCIO). Its work involves the following:
- The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is the centralised contact on computer and network security incident reporting and response for local businesses and internet users in case of security incidents.
- The Cybersec Infohub is a partnership programme to promote closer collaboration among local information security stakeholders in different sectors to share cybersecurity information and jointly defend against cyberattacks. It is not intended for cybersecurity incident reporting, which is the role of HKCERT.
- The OGCIO has established an information security website portal to facilitate the public's access to various information security-related resources and updates.
5.3 What other specific challenges or concerns do the social media sector present from a data security/cybersecurity perspective?
Operators in the social media sector must consider requests from enforcement authorities to obtain access to communications, and this can be an area of concern or challenge.
In general, the Hong Kong police do not have the authority to conduct indiscriminate surveillance or search or seizure of data without prior authorisation.
Search and seizure with warrant: A warrant overrides any right to refuse disclosure on the basis of the PDPO and any contractual confidentiality obligations owed to third parties. However, there is no obligation to provide or disclose information or material that is subject to legal professional privilege.
Persons that fail to cooperate with enforcement authorities without a reasonable excuse commit an offence and may be criminally liable and arrested for obstructing the police in the execution of their lawful duties. Also, a number of offences are committed for failing to comply with court orders to provide access to information or prejudicing investigations.
Search and seizure without warrant: Warrants must generally be granted by the judiciary before police officers can carry out search and seizures at a specific site. However, in certain situations, a senior police officer may also authorise officers to carry out a search without a warrant or perform covert surveillance operations in circumstances where it is not reasonably practicable to obtain authorisation.
Covert interception of communication: The Hong Kong police may intercept communications or conduct covert surveillance upon obtaining authorisation from:
- a designated authorising officer, for less intrusive covert surveillance operations; or
- a panel judge, for more intrusive covert surveillance operations
The purpose of the operation must be confined to the prevention or detection of serious crimes or the protection of public security. In addition, the tests of proportionality and necessity must be met, including the requirement that the purpose of the operation cannot reasonably be fulfilled by other less intrusive means. Any application for authorisation must state a specific serious crime or threat to public security.
The National Security Law provides similar legislative power for the Hong Kong police to carry out covert interception of communication or surveillance. The application procedure and the criteria required are largely identical to those of the ICSO, except:
- an application under the National Security Law must relate to an offence of endangering national security; and
- applications made under the National Security Law are generally made to the chief executive or the commissioner of police in emergency situations (rather than a panel judge).
Disclosure of personal data: Exemptions are specified in the PDPO in which data users can disregard certain provisions. Data users may disclose personal data to law enforcement agencies, such as the Hong Kong police, if the use of personal data by the law enforcement agencies is for:
- the prevention or detection of crime; or
- the apprehension, prosecution or detention of offenders.
However, simply because a law enforcement agency requests personal data does not mean that data users can provide the data requested without complying with DPP3 (which relates to the use of personal data for a new purpose).
Data users must consider whether non-provision of the data would be so serious as to be likely to prejudice the purposes for which it is collected. The view taken by the PCPD is that it is prudent for data users to make enquiries with the law enforcement agency on:
- the purpose for which the personal data is collected;
- the reasons why the personal data concerned is relevant; and
- the reasons why the data subject's consent should not be obtained by the enforcement agency.
6. Trends and predictions
What are the legislative trends and developments in Hong Kong for the social media sector?
Doxxing offences: New laws criminalising doxing came into force on 8 October 2021. When doxxing occurs on or via social media platforms, service providers and companies may receive a cessation notice from the Office of the Privacy Commissioner for Personal Data (PCPD) requesting them to remove the doxxing message(s). Given that contravention of a cessation notice constitutes a criminal offence under the Personal Data (Privacy) Ordinance (Cap 486), it is critical for social media service providers to put in place internal policies to assess and respond to enforcement requests.
As of the end of December 2022, the PCPD had:
- written more than 400 times to request the operators of a total of 18 websites, online social media platforms and discussion forums to remove more than 7,400 web links involving doxing; and
- issued 1,500 cessation notices to 26 online platforms, requesting them to remove over 17,700 web links involving doxxing.
Consultation on cybercrime reform: On 20 July 2022, the Cybercrime Sub-committee of the Hong Kong Law Reform Commission published a consultation paper with its recommendations to introduce five new cybercrimes into law in Hong Kong. The proposed new cybercrime offences are:
- illegally accessing a computer program or data;
- illegally intercepting computer data;
- illegally interfering with computer data;
- illegally interfering with a computer system; and
- making available or possessing a device or data for committing a crime.
Copyright (Amendment) Ordinance 2022: The Copyright (Amendment) Ordinance 2022 came into operation on 1 May 2023, with the aim of strengthening copyright protection in the digital environment in Hong Kong.
The main aims of the Copyright Amendment Ordinance are to:
- create an exclusive technology-neutral communication right for copyright owners to communicate their works to the public through any mode of electronic transmission;
- introduce criminal sanctions against individuals who make unauthorised communication of copyright works to the public for profit or to prejudice copyright owners;
- expand the scope of new copyright exceptions to allow for the use of copyright works in certain common internet activities;
- introduce safe harbour provisions to limit online service providers' liability; and
- introduce two additional statutory factors for courts to consider when determining whether to award additional damages to copyright owners for copyright infringements.
Specifically, the Copyright Amendment Ordinance includes provisions that are intended to limit the liability of online service providers, provided that they can demonstrate that they took reasonable steps to limit or stop the copyright infringement as soon as practicable after receiving a notice of alleged infringement.
Copyright amendment proposal for AI technology: Under the existing Copyright Ordinance in Hong Kong, works generated by generative artificial intelligence are likely protected by copyright. Legislative proposals are presently being considered to provide more certainty and to allow for an exception for reasonable use of copyright works analysis and processing for the AI model training.
Combating false information: The Hong Kong government is considering implementing legislative reforms to tackle the issue of false information. In November 2021, the Hong Kong Home Affairs Bureau (HAB) commissioned a consultant to study legislation enacted in overseas jurisdictions for regulating disinformation and propose effective recommendations for legislative reform. The HAB has not yet published the research conclusions. In May 2022, the secretary for security reported to the Legislative Council of Hong Kong that the HAB is still undergoing its process with the commissioned consultancy. These legislative changes, once proposed and implemented, will subject online service providers, including social media platforms, to tighter compliance standards to regulate disinformation.
National Security: The National Security Law and Safeguarding National Security Ordinance govern national security protection in Hong Kong. Social media operators continue to take care to manage the risk of possible non-compliance with these laws.
Cybersecurity: The Protection of Critical Infrastructure (Computer System) Bill will likely be considered and passed by the Legislative Council within 2024. The Commissioner's Office proposed under the legislation will be established within the Security Bureau within one year from passing of the legislation, and the legislation will come into force six months after.
7. Tips and traps
What are your top tips for new entrants seeking to operate in the social media sector in Hong Kong?
The social media industry in Hong Kong remains relatively liberalised, with no foreign ownership restrictions. Nevertheless, the risk environment for businesses in social media is changing in Hong Kong. Social media operators are advised to take early steps to:
- understand the provisions of national security laws and the Personal Data (Privacy) Ordinance (Cap 486) (especially in relation to anti-doxxing measures);
- assess the relevant impacts on their businesses; and
- adopt policies accordingly.
They should also seek professional advice as necessary to strike an appropriate balance between cooperation with enforcement authorities and protection of user privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.