Introduction

In the digital age, data has become one of the most valuable assets for businesses worldwide.  Hong Kong has put in place stringent regulations to ensure the privacy and security of personal data.  For businesses operating in Hong Kong, understanding and complying with these data protection laws is not just a legal obligation but also a critical component of maintaining customer trust and safeguarding their reputation.

Understanding Hong Kong Data Protection

Hong Kong’s data protection framework is primarily governed by the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), which was enacted in 1996 and has undergone several amendments to address the evolving challenges of the digital era.  PDPO regulates the collection, use, and handling of personal data in Hong Kong.

The Office of the Privacy Commissioner for Personal Data (PCPD) oversees the enforcement of the PDPO and provides guidance on best practices for data protection.  Some of the recent guidance issued by PCPD include:

• Guidance on Recommended Model Contract Clauses for Cross-Border Transfer of Personal Data (2022)                     
• Guidance on Cross-boundary Data Transfer: Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong – Hong Kong – Macao Greater Bay Area (Mainland, Hong Kong) (2023)

In addition to PDPO and guidance issued by PCPD, regulatory authorities have also published data protection measures that are specific to their sectors, including:

• The Hong Kong Monetary Authority
• The Insurance Authority
• The Office of the Communications Authority
• The Securities and Futures Commission

The PDPO protects data subjects, being living individuals who are the subject of personal data.  The PDPO applies where the data user and data processors in collection, use, handling and processing of personal data in or from Hong Kong. 

The terms “personal data”, “data user”, and “data processor” are defined in the PDPO. 

• Personal data means any data –
  • relating directly or indirectly to a living individual;
  • from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
  • in a form in which access to or processing of the data is practicable.

• Data means any representation of information (including an expression of opinion) in any document, and includes a personal identifier.
• Data user – mean a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data.
• Data processor – mean a person who process personal data on behalf of another person, and does not process the data for any of the person’s own purposes.

Personal data under the PDPO is widely defined and encompasses an expression of opinion.  Further, in Eastweek Publisher Ltd & Another v Privacy Commission of Personal Data [2002] 2 HKLRD 83, personal data may also include photographs or video footage of a person.

Data Protection Principles

Section 4 of the PDPO provides that a data user shall not do an act, or engage in a practice, that contravenes a data protection principle unless the act or practice, as the case may be, is required or permitted under the PDPO.

The PDPO sets out six data protection principles containing data user’s main obligations:

Principle 1 – Purpose and Manner of Collection

Personal data must be collected in a lawful and fair manner for a purpose directly related to the data user’s function or activity. The data collected should not be excessive.

Principle 2 – Accuracy and Retention

Data users must ensure personal data is accurate, up-to-date, and not kept longer than necessary to fulfill the purpose for which it was collected.

Principle 3 – Use of Personal Data

Personal data must only be used for the purpose for which it was originally collected or a directly related purpose, unless voluntary and explicit consent is obtained from the data subject.

Principle 4 – Security of Personal Data

Data users must take appropriate security measures to protect personal data from unauthorized or accidental access, processing, erasure, loss or use.

Principle 5 – Information to be Generally Available

Data users must make available their policies and practices in relation to the types of personal data they hold and how that data is used and safeguarded.

Principle 6 – Access to Personal Data

Data subjects have the right to access their personal data held by a data user, and request correction if the data is inaccurate.

Consequences of Non-compliance

Failure to comply with PDPO may lead to a variety of civil and criminal sanctions including fines and imprisonment.  Set out below are some of the sanctions imposed:

• Failure to comply with an enforcement notice may result in:
  • A fine of up to HK$50,000;
  • Imprisonment for up to two years; and
  • A daily penalty of HK$1,000 for a continued breach.
• Use of personal data in direct marketing without the data subject’s consent, may result in:
  • A fine of up to HK$500,000; and
  • Imprisonment for up to three years.
• Doxxing offences – in particular, disclosure of personal data without the data subject’s consent, with (a) an intent to cause any specified harm to the data subject or any family member of the data subject; or (b) being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and the disclosure caused specified harm to the data subject or any family member of the data subject, may result in:
  • A fine of up to HK$1,000,000; and
  • Imprisonment for up to five years.

Data Protection in Corporate Transactions

Unlike other jurisdictions, the PDPO has no express provision for extraterritorial application – as such, the PDPO does not apply to data users located outside Hong Kong that collect data on data subjects within Hong Kong.  Further, there are no express legislative restrictions on transfers to third countries. 

However, in any M&A context, parties need to take steps to comply with data protection law.  Parties in any M&A transaction, especially when the target is a data-heavy business – proper measures would need to be taken from the signing of the non-disclosure agreement. 

*** ***

Contact us for information on how we can help you navigate the regulatory landscape, and how our team can help you in handling data issues in M&A transactions.   

Alfred Leung, Partner

(E: alfredleung@hkytl.com T: +852 3468 7202)

This article is introductory in nature. Its content is current at the date of publication.  It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this article. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.