Passed in 1995, Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) is one of Asia’s most established data protection laws.
Created in response to a 1994 Law Reform Commission Report, which suggested that Hong Kong establish an updated privacy law in line with the OECD guidelines, PDPO was introduced to provide Hong Kong with the levels of data privacy required to maintain the region’s prominence as an international trading hub.
Since its establishment, the PDPO has undergone a number of significant modifications in a bid to serve the expanding digital landscape. In 2012, direct marketing provisions were introduced in order to address public concerns regarding online privacy, and in 2021, a series of major amendments were added to combat doxxing practices — the release of an individual’s private data online.
Under the doxxing amendment, anyone who discloses or conspires to disclose another individual’s personal data without that individual’s express consent, whether by negligence or with the specific intent to cause harm, has committed a criminal offense punishable by fines or imprisonment. With these powers giving the Privacy Commissioner the ability to pursue criminal investigations, the PDPO has clamped down heavily on privacy abuse practices.
Data Protection Principles
At the heart of law lies a set of Data Protection Principles (DPPs), which provide individuals and organizations with a framework outlining how personal data can be collected, handled, disclosed, and used. The Office of the Privacy Commissioner for Personal Data (PCPD) is responsible for enforcing PDPO principles in Hong Kong as well as acting as a compliance guide.
The key definition applicable to the law are as follows;
This is defined as any data pertinent to a living individual that can be used to identify that individual. This data should exist in a form that allows practical access and processing.
The individual who is the subject of the personal data.
Any individual or entity who manages the control, collection, holding, processing, or use of personal data — either alone or in collaboration with other persons or entities.
Any individual, organization, or entity that processes personal data on behalf of another data user as opposed to processing data for their own purposes. Although Data Processors are not technically governed by the PDPO, data users are required to guarantee that their data processors conform to PDPO regulations either by contract or some other method.
Unless the collected personal data is being used for direct marketing or some newly defined process, consent is not required. In the event that it is, consent is defined as the voluntary expression of approval.
The PDPO’s data protection principles grant Data Subjects the right to gain access to and request the amendment of their personal information.
In the event that a Data User refuses to grant the Data Subject individual access to their personal information, valid reasons for the refusal must be given. Further to this, Data Subjects have the right to be informed by Data Users if any personal information about them is being held.
While the PDPO grants Data Subjects no definitive right to erase information, Data Subjects may request that information being held about them is deleted if it’s deemed no longer necessary for processing.
From a Data User’s point of view, the ordinance forbids them from holding onto personal data for longer than is deemed absolutely necessary. As a result, Data Subjects have the right to remove themselves from direct marketing campaigns.
PDPO governance applies to any private or public sector organization that collects, processes, holds, or uses personal data. Although PDPO regulations cover data processing no matter where that processing may be located, the rules only apply to Data Users that are based in Hong Kong.
That said, there are a number of exemptions to PDPO regulations. The rulings may not apply to you if…
- The data processing is in the public or legal interests.
- The data is for domestic or recreational uses.
- The data is for employment purposes.
Although the PDPO does not specifically outline the specific mechanisms by which individuals and organizations should manage their data privacy, they suggest that any entities engaged in data processing introduce systems that result in PDPO compliance. To this end, they recommend the employment of data protection officers and the regular assessment of privacy systems.
The ordinance’s Data Protection Principles encourage Data Users to maintain transparency regarding their data practices, what personal data they hold, and why. They are also duty-bound to take all necessary steps to ensure that the personal data they hold is protected against unauthorized access, processing, loss, or use.
In the event of a data breach, there is no legal requirement under PDPO for Data Users to make this breach public knowledge, however, it is highly recommended that the PCPD and any Data Subjects involved in the breach are informed.
Penalties for Non-Compliance
Although non-compliance with the PDPO is not an offense in itself, the specific provisions set out within the ordinance carry severe fines and prison sentences if they are not met.
Some of the more relevant provisions and penalties are as follows:
- In the event that the Privacy Commissioner issues an enforcement notice, failure to uphold this notice can result in fines of up to HK$50,000 and two years imprisonment. Any convictions thereafter can result in a fine of HK$100,000 and further imprisonment.
- Data Users that fail to delete unnecessary data can be punishable with a fine of up to HK$10,000.
- Data Subjects have the right to pursue compensation from Data Users in the event that the subjects suffer as a result of PDPO non-compliance.
Check out this comprehensive list outlining all the PCPD penalties.
To ensure that your website is collecting data in accordance with PDPO regulations, contact CookieHub. An efficient data solution, CookieHub provides all the tools needed to ensure regional compliance no matter where you may be based.