The PDPO, Comprehensive Data Privacy in Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486), also known as the PDPO for short, is a Hong Kong data privacy law that was originally passed in 1996 and amended in 2012. While Hong Kong is a special administrative region of China, the area nevertheless has a separate system of government under the principle of “one country, two systems”, due to Hong Kong’s status as a British territory until 1997. To this end, Hong Kong does not fall under the jurisdiction of China’s Personal Information Security Specification, or the Chinese Cybersecurity Law. Subsequently, the PDPO is the main privacy law that governs the collection, processing, and disclosure of personal data in Hong Kong.

What is the scope and application of the PDPO?

In regards to the personal scope and application of the PDPO, the law applies to the collection, processing, and holding of personal data by data users, including any information that:

• Relates directly or indirectly to a living person.
• Exists in a form in which it is practicable that the identity of a particular individual could be ascertained, be it directly or indirectly.
• Exists in a form from which accessing or processing would be practicable.

Alternatively, the territorial scope of the law applies to “the collection and processing of personal data irrespective of where in the world the collection or processing occurred provided that the personal data is controlled by a data user in Hong Kong”. Conversely, in terms of the material scope of the law, data processors operating within Hong Kong do not automatically fall under the jurisdiction of the PDPO, as the law generally applies to data controllers and data users respectively. More specifically, “A data user, who either alone, jointly, or in common with persons, controls the collection, holding, processing, or use of personal data, will be subject to the requirements under the PDPO”.

What are the obligations of data controllers under the PDPO?

The main obligations and duties of data controllers operating within Hong Kong as set forth by the PDPO are conveyed through the following data protection principles:

• Collection of personal data– The collection of personal data must be limited to what is necessary, lawful, and fair. Data controllers are also responsible for providing data subjects with information detailing the purpose for data collection, the third parties or receipts to which personal data may be transferred to, and whether providing personal data to any applicable data controller is required, as well as the consequences of refusing to do so, as the time in which personal data is collected.
• Data quality and retention– Data controllers are responsible for ensuring that all personal data that is collected is accurate, and personal data must be kept for no longer than is needed to fulfill the purpose for which it was collected.
• Use of data– Under the PDPO, personal data can only be used in accordance with the purposes for which it was collected, or for another directly related purpose.
• Data security– Under the PDPO, data controllers are required to take “practicable steps” to safeguard all personal data that is collected from accidental or unauthorized use, access, processing, loss, or erasure. When developing these practicable steps, data controllers must consider a number of factors, such as the physical location in which personal data is stored, as well as the level of harm that could be caused in the event that personal data is improperly accessed or disclosed.
• Privacy policy– Under the PDPO, data controllers are required to provide data subjects with privacy notices detailing the types of personal data they hold concerning said data subjects, the purposes for which such personal data is being held, and the policies and practices that govern this holding of personal data.
• Access to personal data– Under the PDPO, data subjects have the right to access any personal data that a data controller holds concerning them.

What are the rights of data subjects under the PDPO?

Under the PDPO, data subjects within Hong Kong are afforded many of the same rights that are offered to data subjects in other countries that are also under the jurisdiction of data privacy laws. These rights include the right to be informed, the right to access, the right to rectification, the right to erasure, and the right to object or opt-out. On the contrary, the PDPO does not provide data subjects within Hong Kong with the right to data portability, or with the right not to be subject to data processing decisions made solely on the basis of automated decision making.

What’s more, unlike many other privacy policies that have been passed in recent years, non-compliance under the PDPO does not in itself constitute a criminal offense. However, the regulatory body of the PDPO, the Office of the Privacy Commissioner for Personal Data or PCPD for short, has the right to impose monetary and criminal penalties following an investigation into the alleged actions of a data controller. As such, data controllers who are found to have violated the law following an investigation on behalf of the PCPD are subject to a fine of up to HKD 100,000 ($12,376), as well as a term of imprisonment of up to two years.

Moreover, data controllers who use the personal data of data subjects for direct marketing purposes without their consent are also subject to a monetary fine of up to HKD 500,000 (, 870), as well a term of imprisonment of up to three years. Furthermore, data controllers who provide the personal data of data subjects to third parties for the purposes of direct marketing are also subject to a monetary fine of up to HKD 1 million (3,757), as well as a term of imprisonment of up to five years.

Through the enactment of the PDPO, data subjects residing within Hong Kong are provided with a stringent level of data protection. As Hong Kong does not fall under the same jurisdiction as Chinese legislation, laws such as the PDPO are very much needed to ensure that data subjects within the region do not have their rights infringed upon. To this point, the PDPO sets forth steep penalties and punishments for individuals and data controllers who fail to comply with the various provisions and regulations established by the law.