An Overview of Hong Kong’s Personal Data (Privacy) Ordinance (PDPO)

I. Introduction

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) represents a cornerstone in the region's data protection framework. This extensive legislation aims to safeguard the individual right to privacy with regard to their personal data. It governs the collection, processing, and use of personal data. The PDPO was passed on 3rd August 1995 and came into effect on 20th December 1996. It has since played a crucial role in establishing guidelines for data processing.

To address public concerns and evolving privacy complexities, the PDPO underwent significant revisions in 2012. The most notable change was the introduction of direct marketing rules and additional protection of personal data. Other major amendments to the PDPO were made in 2021 by the Personal Data (Privacy) (Amendment) Bill 2021 which came into effect on October 8, 2021.

The amendments criminalize doxxing  and give Office of the PCPD the authority to issue cessation notices, which require the removal or restriction of doxxing content's disclosure. The goal of these measures is to combat doxxing  that violates the privacy of personal data.

This overview delves into the intricacies of the PDPO's key provisions, obligations for data users, and individual rights, providing an in-depth analysis of the legislation and its significance in Hong Kong's evolving data privacy landscape.

II. Who Needs to Comply with Hong Kong’s PDPO

a. Material Scope

The PDPO applies to any entity that collects and processes personal data of data subjects in Hong Kong.

III. Definitions of Key Terms

a. Data

Data means any representation of information or expression of opinion in any document and includes a personal identifier.

b. Personal Data

Personal Data means any data relating directly or indirectly to a living individual, and in a form in which access to or processing of the data is practicable.

c. Data User

Data user, in relation to personal data, means a person who controls the collection, holding, processing, or use of the data either alone or jointly or in common with other persons.

IV. Data Protection Principles (DPP)

The PDPO establishes guidelines for the handling of personal data via its six data protection principles. These principles address aspects like data collection, accuracy, use, security, access, and retention.

1. Principle 1 – Purpose and Manner of Collection of Personal Data

Principle 1 (DDP1) requires that personal data shall be collected in a lawful and fair manner for legitimate purposes directly related to a function or activity of the data user. The data obtained must be adequate and required for the legitimate purpose, and it shouldn't be used for any other purpose.

Additionally, the personal data must be collected by means that are lawful and fair under the circumstances.

When personal data is obtained, it is required to notify the data subject about its intended use, potential recipients to whom the data will be disclosed, and whether the data is voluntary or required. Additionally, the data subject must be informed of their rights to access, update, and rectify their data.

2. Principle 2 – Accuracy and Duration of Retention of Personal Data

Principle 2 (DDP2) requires data users to implement all reasonable and practical measures to ensure that personal data is accurate. Furthermore, it must be ensured that the data is not retained for any longer than is required to achieve the intended use.

When engaging with a data processor, the data user is responsible for ensuring the data processor adheres to the specified retention time guidelines. Article 26 of the PDPO mandates that data users delete personal data that is no longer needed for the intended purpose unless doing so would be against the law or not in the public interest.

3. Principle 3 – Use of Personal Data

Principle 3 (DPP3) states that without the explicit and voluntary consent of the data subject, personal data may not be used for new purposes that are inconsistent with or unrelated to the original reason for which the data was obtained. The data subject/individual may revoke previously given consent by written notice.

When utilizing the personal data of a data subject for direct marketing purposes, informed and explicit consent must be obtained. Silence is not considered the same as consent. "Informed" consent refers to the requirement that consent is obtained based on an informed basis; that is, the data user must inform the data subject about the type of data to be used, the purpose of the data use (direct marketing), the need for the data subject's consent, the right to withdraw consent, and other details of the intended data use.

Failure to comply is a criminal offense of the direct marketing/direct advertising regulations. If the data has been disclosed to third parties for commercial purposes, there could be a fine of up to HK$1,000,000 and five years imprisonment or a fine of HK$500,000 and three years imprisonment.

4. Principle 4 – Security of Personal Data

Principle 4 (DPP4) details data security requirements. Data users must take all reasonable steps to protect against unauthorized or accidental access, processing, deletion, loss, or use of any personal data under their control.

This entails taking into account the type of data, the possible harm in the case of a security incident, and steps to ensure the accuracy, diligence, and competence of individuals who are authorized access to the data. Data processors must be contractually obliged by data users to comply with these requirements.

5. Principle 5 – Information to be Generally Available

Principle 5 (DPP5) requires data users to inform individuals regarding the rules and practices for handling personal data. This includes disclosing the kind of personal data that is kept on file and the primary reason why the data user uses it.

6. Principle 6 – Access to Personal Data

Principle 6 (DPP6) states that the data subject must request that any inaccurate data be corrected. PDPO's Chapter 5 provides comprehensive guidelines outlining how these requests should be handled, how long they may take to complete, and when they can be refused.

V. Obligations for Organizations Under Hong Kong’s PDPO

A. Lawful Basis Requirements

The PDPO mandates that personal data be collected fairly and lawfully for purposes directly related to the function or activity of the data user and that the data subject be informed of the reason(s) for the collection as well as the categories of individuals to whom the data may be disclosed or transferred.

B. Consent Requirements

Consent must be obtained prior to processing an individual's personal data for a new purpose. The term "prescribed consent" refers to an individual’s voluntarily expressed explicit assent. It does not include consent that has been withdrawn by giving written notification.

C. Data Retention Requirements

When a data user engages with a data processor—whether located in Hong Kong or elsewhere—to handle personal data on their behalf, the data user must take precautions to ensure that any personal information sent to the processor is not retained for longer than is required for data processing. This can include the implementation of contractual clauses.

D. Security Requirements

DPP4 mandates that data users take all reasonable security precautions to protect personal data against unauthorized or accidental access, processing, erasure, loss, or any other use. Personal data processing, transit, and storage must all be adequately secured. Additionally, when engaging with a data processor, the data user must ensure that the data processor abides by the data security standards’ contractual or other measures.

E. Data Breach Requirements

Data breach refers to the breach of security of personal data held by a data user, which results in exposing the data to the risk of unauthorized or accidental access, processing, erasure, loss, or use. The PCPD urges data users to notify impacted parties of data breaches to minimize any possible harm that might impact individuals.

F. Data Privacy Impact Assessment Requirements

Although not a direct requirement under the PDPO, the PCPD published the Ethical Accountability Framework for Hong Kong in October 2018. Under the framework, the PCPD effectively urges organizations operating in Hong Kong to undertake data privacy impact assessments – referred to as "Ethical Data Impact Assessments."

G. Cross-Border Data Transfer Requirements

While the PDPO contains a provision concerning cross-border transfer of personal data (Section 33 of the PDPO), it is not currently in force. A few specific circumstances have been provided under which personal data can be transferred outside Hong Kong, these include:

• The user has good cause to believe that any legislation that substantially resembles or accomplishes the same goals as the PDPO is in effect in that location;
• The Commissioner may designate a location by publishing a notice in the Gazette if he has good cause to believe that there is legislation in effect outside of Hong Kong that is substantially comparable to or serves the same goals as the PDPO; and
• The data subject has consented in writing to the transfer of their personal data.

Organizations engaged in cross-border data transfers must implement Binding Corporate Rules (BCR) and Standard Contractual Clauses (SCC).

H. Direct Marketing Requirements

The PDPO details specific requirements and restrictions on how personal data can be used for direct marketing purposes.

Direct marketing refers to the offering or advertising of the availability of goods, facilities, or services or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political, or other purposes through direct marketing.

Direct marketing means sending information or goods addressed to specific persons by name, by mail, fax, electronic mail, or other means of communication or making telephone calls to specific persons.

When processing a data subject's personal data for direct marketing, data users must:

• Inform the data subject that the data user intends to use their personal data unless the data subject has given consent for the intended use;
• The data subject's silence or non-response cannot be used to infer consent as consent must be given voluntarily.
• Inform the data subject about the categories of marketing subjects for which the data is to be used, as well as the types of personal data to be used;
• Provide the data subject a channel by which they may express their consent to the planned usage without incurring any fees from the data user; and
• Ensure specific and clear explanations of data usage and transferees are being used, and imprecise or excessively broad language is avoided.

VI. Data Subject Rights

A. Right to Access Personal Data

An individual, or a relevant person on behalf of an individual, may make a request to be informed by a data user whether the data user holds personal data of which the individual is the data subject and if the data user holds such data, to be supplied by the data user with a copy of such data.

Compliance with Data Access Request

A data user must comply with a data access request within 40 days after receiving the request.  If the data user holds any personal data that is the subject of the request, they should inform the requester in writing that they indeed possess the data and provide a copy of it.If the data user does not hold any personal data that is the subject of the request, they must inform the requester in writing that they do not  possess the data.

A data user may refuse to comply with a data access request if the request is not in writing in the Chinese or English language or the data user is not supplied with such information as the data user may reasonably require locating the personal data to which the request relates.

B. Right to Correct Personal Data

An individual or relevant person may make a request that the data user make the necessary corrections to the data. The data requestor is entitled to ask for correction of the personal data concerned if he/she considers that the data are inaccurate.

Compliance with Data Correction Request

If it is deemed that personal data that is the subject of a data correction request is inaccurate, the data user shall make the necessary correction and supply the data subject with a copy of the corrected personal data within 40 days of receipt of the request. If a data user is unable to comply with a data correction request in whole or in part within the 40-day reply period, the data user must, within such period, inform the requestor in writing that it is unable to do so and give the reasons. The data user must then fully comply with the request as soon as reasonably practicable after the expiry of the 40-day reply period.

VII. Regulatory Authority

The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong is the regulatory authority responsible for enforcing the PDPO. Violations of the ordinance can result in legal penalties, including fines and imprisonment.

Individuals may report suspected PDPO breaches by data users to the Privacy Commissioner, who may then conduct further investigation and issue any necessary orders for correction, prevention, or both. A data user may be fined or even imprisoned for up to two years for violating such instructions, which is considered a criminal act under the PDPO.

The Privacy Commissioner may independently start criminal investigations against data users and, at their discretion, engage the police or other authorities to aid in such investigations. Additionally, the Privacy Commissioner has the authority to proactively audit data users.

VIII. Penalties for Non-Compliance

Hong Kong’s PDPO imposes severe penalties for violating the law, ranging from fines to imprisonment, depending on the exact violation. These fines are intended to protect the privacy of personal data and ensure compliance in direct marketing and other data-related activities.

The following are some of the most common fines:

• Failure to abide by the enforcement notice is a criminal offense, punishable by a fine of up to HK$ 50,000 and imprisonment for up to two years. If the offense continues after conviction, there’s a daily penalty of HK$ 1,000. Subsequent offenses may incur an additional $100,000 in fines and further imprisonment.
• Depending on the specifics of the violation, a fine of up to HK$ 1 million and up to five years imprisonment may be imposed for violating various direct marketing provisions.
• A punishment of up to HK$10,000 may be imposed on data users who fail to delete unnecessary data.
• If a data subject's personal data is disclosed without their consent, it can result in fines of up to HK$ 1 million and five years imprisonment.

Here’s a detailed list outlining the PCPD penalties.

IX. How an Organization Can Operationalize Hong Kong’s PDPO

Organizations can operationalize the Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) by:

• Establishing clearly defined policies and procedures for processing data in compliance with PDPO’s provisions;
• Developing clear and accessible understandable privacy notices that comply with PDPO’s requirements;
• Obtaining explicit consent from users before processing their personal data;
• Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
• Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the PDPO.

X. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.