The PDPO, Comprehensive Data Privacy in Hong Kong

The PDPO, Comprehensive Data Privacy in Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486), also known as the PDPO for short, is a Hong Kong data privacy law that was originally passed in 1996 and amended in 2012. While Hong Kong is a special administrative region of China, the area nevertheless has a separate system of government under the principle of “one country, two systems”, due to Hong Kong’s status as a British territory until 1997. To this end, Hong Kong does not fall under the jurisdiction of China’s Personal Information Security Specification, or the Chinese Cybersecurity Law. Subsequently, the PDPO is the main privacy law that governs the collection, processing, and disclosure of personal data in Hong Kong.

What is the scope and application of the PDPO?

In regards to the personal scope and application of the PDPO, the law applies to the collection, processing, and holding of personal data by data users, including any information that:

Alternatively, the territorial scope of the law applies to “the collection and processing of personal data irrespective of where in the world the collection or processing occurred provided that the personal data is controlled by a data user in Hong Kong”. Conversely, in terms of the material scope of the law, data processors operating within Hong Kong do not automatically fall under the jurisdiction of the PDPO, as the law generally applies to data controllers and data users respectively. More specifically, “A data user, who either alone, jointly, or in common with persons, controls the collection, holding, processing, or use of personal data, will be subject to the requirements under the PDPO”.

What are the obligations of data controllers under the PDPO?

The main obligations and duties of data controllers operating within Hong Kong as set forth by the PDPO are conveyed through the following data protection principles:

What are the rights of data subjects under the PDPO?

Under the PDPO, data subjects within Hong Kong are afforded many of the same rights that are offered to data subjects in other countries that are also under the jurisdiction of data privacy laws. These rights include the right to be informed, the right to access, the right to rectification, the right to erasure, and the right to object or opt-out. On the contrary, the PDPO does not provide data subjects within Hong Kong with the right to data portability, or with the right not to be subject to data processing decisions made solely on the basis of automated decision making.

What’s more, unlike many other privacy policies that have been passed in recent years, non-compliance under the PDPO does not in itself constitute a criminal offense. However, the regulatory body of the PDPO, the Office of the Privacy Commissioner for Personal Data or PCPD for short, has the right to impose monetary and criminal penalties following an investigation into the alleged actions of a data controller. As such, data controllers who are found to have violated the law following an investigation on behalf of the PCPD are subject to a fine of up to HKD 100,000 ($12,376), as well as a term of imprisonment of up to two years.

Moreover, data controllers who use the personal data of data subjects for direct marketing purposes without their consent are also subject to a monetary fine of up to HKD 500,000 ($61, 870), as well a term of imprisonment of up to three years. Furthermore, data controllers who provide the personal data of data subjects to third parties for the purposes of direct marketing are also subject to a monetary fine of up to HKD 1 million ($123,757), as well as a term of imprisonment of up to five years.

Through the enactment of the PDPO, data subjects residing within Hong Kong are provided with a stringent level of data protection. As Hong Kong does not fall under the same jurisdiction as Chinese legislation, laws such as the PDPO are very much needed to ensure that data subjects within the region do not have their rights infringed upon. To this point, the PDPO sets forth steep penalties and punishments for individuals and data controllers who fail to comply with the various provisions and regulations established by the law.

Related Reads