The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Last updated April 2020
- Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)
- Privacy Commissioner for Privacy Data (the “Commissioner”)
Anticipated changes to law
The Constitutional and Mainland Affairs Bureau (the CMAB) released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Ordinance in respect of the following areas: (1) introduction of mandatory data breach notification mechanism; (2) addition of the requirement of data users to formulate a clear retention policy which specifies a retention period for the personal data collected; (3) raise the relevant criminal fine level and introduction of administrative penalties; (4) introduction of direct regulations on data processors; (5) expansion of definition of “Personal Data”; (6) introduction of regulation of disclosure of personal data of other data subjects so as to curb doxing behaviours more effectively.
If applicable: stage of legislative implementation of GDPR
If applicable: local derogations as permitted by GDPR
- Applicable to both private and public sectors in Hong Kong.
- Applies to collection, handling, using and retention of Personal Data (defined to be “information which relates to a living individual and can be used to identify that individual. It must also exist in a form which access to or processing of is practicable”).
The Commissioner is the dedicated privacy regulator.
A summary of various offences and penalties under the Ordinance can be found at: https://www.pcpd.org.hk/misc/files/table2_e.pdf
No formal registration or notification to process procedure. The Commissioner is an independent statutory body set up to oversee the enforcement of the Ordinance.
Main obligations and processing requirements
Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: (1) personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; (2) data users are required to take all practicable steps to ensure that personal data is accurate and is not kept longer than necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor complies with the mentioned retention requirement; (3) data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; (4) data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; (5) data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and (6) data users shall provide data subjects with the right to request access to and correction of their own personal data.
Data subject rights
Data subjects are given the right to access and make correction to their data.
Processing by third parties
No specific regulation for data processors. However, data processors are obliged to take contractual means to ensure that data processors or subcontractors take measures to ensure the safety of personal data.
Transfers out of country
A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: (1) the place is specified by the Commissioner by notice in the Gazette that a law is in force which is essentially similar to the Ordinance or serves the same purposes – no place has satisfied this condition up to date.
(b) The data user has good reason to believe that a law is in force in that place which is substantially similar to the Ordinance or serves the same purposes;
(c) The data subject has consented in writing to the transfer;
(d) The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
(e) The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
(f) The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the due diligence requirement.
Data Protection Officer
No mandatory requirement. However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.
Data Protection Principle 3 in Schedule 1 to the Ordinance: Data users take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use. Data users should pay particular attention to the nature of the data, the potential harm if those events happen, measures taken for ensuring the integrity, prudence and competence of persons having access to the data, etc. If you engage a data processor to process the personal data held, you must adopt contractual or other means to ensure that the data processor comply with the mentioned data security requirement.
- No mandatory requirement, but a data breach may amount to a contravention of Data Protection Principle 4(1) and (2) in Schedule 1 of the Ordinance.
- The following action plan is recommended as practice to be adopted by data users: (1) immediate gathering of essential information relating to the breach; (2) contacting the interested parties and adopting measures to contain the breach; (3) assessing the risk of harm; (4) considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach. For notifying the Commissioner, a “Data Breach Notification Form” can be used.
The data user must:
(a)inform the data subject (i)that the data user intends to so use the personal data; and (ii)that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – kindly note that the “consent” needs to be “an indication of no objection to the use or provision” and hence, silence/lack-response will not be deemed to be consent;
(b)provide the data subject with the following information in relation to the intended use (i)the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used – kindly note that the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
(c)provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – kindly note that a data user can only elect a response channel which enables the data subject’s consent to be made in writing.
Last updated April 2020
Laws and regulations
The more significant laws which cover cybersecurity matters include provisions under
- Crimes Ordinance (Cap 200):
- s.161 Access to computer with criminal or dishonest intent; and
- s.60 Destroying or damaging property;
- s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106);
- Control of Obscene and Indecent Articles Ordinance (Cap. 390);
- Prevention of Child Pornography Ordinance (Cap 579); and
- The Unsolicited Electronic Messages Ordinance (Cap 593)
Anticipated changes to law
N/A – although there has been more pressure for the introduction of laws against doxing.
- The Cyber Security and Technology Crime Bureau (Hong Kong Police)
- The Communications Authority (for reporting a spam)
N/A - No prescribed obligation imposed on cyber users/operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)
Hong Kong Police will enforce the provisions of the relevant Ordinances. Penalties will range from a level 4 fine (HK$25,000) to the imprisonment for 5 years.
Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?
Is there a national incident management structure for responding to cyber security incidents?
Other cybersecurity initiatives
- Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as a Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, e-banking systems and artificial intelligence.
- Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
- Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorized insurers must observe.
- The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records.
- The Office of the Government Chief Information Office has issued various guidelines in relation to cybersecurity controls and measures applicable to various government offices and departments.