Privacy Policy Terms of Use
Home

text

Jan 13 2025

In our legal update of 3 October 2023 (link), we reported that the Privacy Commissioner for Personal Data in Hong Kong (“PCPD”) joined the international effort along with eleven other privacy authorities in issuing a joint statement in respect of illegal data scraping practices.  The joint statement was circulated to major social media companies, including Facebook, Instagram, LinkedIn, X and YouTube. We foreshadowed that we could expect more on this topic in future. As Pádraig Walsh, Tara Chan and Vanessa Leung from our Data Privacy practice report, we did not have to wait long.

In October 2024, the PCPD and the other privacy authorities issued a concluding joint statement in respect of data scraping practices (“Concluding Joint Statement”). This followed feedback from social media companies and other industry stakeholders.

Data scraping refers to the extraction of data from the internet through automated processes.  Unlawful data scraping, however, is the extraction of data for unauthorised purposes such as reselling the data, using the data in cyberattacks, identity fraud or unwanted direct marketing and spam messages. 

The Concluding Joint Statement, which is fully endorsed by the PCPD in Hong Kong, sets expectations on how organisations are required to guard against unlawful data scraping.  These include:

1. Organisations must deploy a combination of safeguarding measures against unlawful data scraping, including the use of AI. They are expected to regularly review and update those measures to keep pace with quick-evolving scraping technologies.

2. Engaging third-party service providers to guard against data scraping does not absolve the organisations’ own responsibility to protect personal data.

3. Generally, organisations should limit the amount and sensitivity of information they make publicly accessible so that they can adequately protect such data from unlawful scraping.

4. The level of safeguards ought to be appropriate and commensurate to the sensitivity of the information potentially available for unlawful scraping. 

5. The obligation to protect against unlawful scraping applies to Small and Medium Enterprises (“SMEs”) as it is applicable to large corporations.  SMEs are expected to deploy measures, albeit at lower costs, to guard against scraping.  Measures on a modest budget include bot detection, rate limiting and CAPTCHAs.

6. Organisations engaged in or permitting data scraping must be transparent about the scraping and obtain consent where required by the applicable law.

7. Organisations must ensure that any third parties who are contractually authorised to scrape data do so in compliance with the applicable data protection and privacy laws.  For example, contracts with third parties should specify limitations on the information that may be scraped, the purposes for which it may be used, and the consequences non-compliance. 

8. Organisations are expected to implement measure to monitor third-party compliance with data scraping agreements and to enforce compliance when contract terms are not respected.  They must not rely solely on the fact that there are formal contract terms imposed.

9. When granting access to data scraping to third parties, organisations must do so in a controlled environment to facilitate monitoring of data access by an application programme interface (API). 

10. When using scraped data to train AI, organisations must comply with applicable data protection, privacy and any AI-specific laws.

Within the space of a year from the initial joint regulator statement on data scraping, there is more direct content in the Concluding Joint Statement focussing on data scraping issues arising from the wider adoption of artificial intelligence (AI) systems. There is a clear expectation that social media companies and other organisations that use scraped data sets or use data from their own platforms to train AI systems (such as large language models) must comply with data protection and privacy laws as well as any AI-specific laws where those exist. Likewise, organisations are expected to follow guidelines and principles published by regulators on the development and implementation of AI models. The PCPD directly referenced its “Guidance on the Ethical Development and Use of AI” and “AI: Model Personal Data Protection Framework” in its press release on the Concluding Joint Statement.

The engagement with social media companies is also worth noting. During the engagement process, social media companies indicated that they had implemented many of the measures that were identified in the initial statement, as well as further measures that could form part of a dynamic multi-layered approach to better protect against unlawful data scraping. The Concluding Joint Statement was sent to the relevant social media companies to provide further guidance.

Data scraping is a complex, broad and evolving issue. The issues involved are broader that personal data and privacy. Nonetheless, it is clear that this issue will stay on the radar of data protection authorities.

The full Concluding Joint Statement can be found at this link, and the media statement of the PCPD is on this link.

Pádraig Walsh, Tara Chan and Vanessa Leung

If you want to know more about the content of this article, please contact:

Pádraig Walsh                     
Partner | Email     

 Douglas Clark 
Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 13 January 2025.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

Jan 08 2025

1. Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern media in Hong Kong?

For present purposes, we define ‘media’ as encompassing television broadcasting, sound broadcasting, print and film.

Media in Hong Kong is primarily governed by the following legislation:

  • the Communications Authority Ordinance (Cap 616);
  • the Broadcasting Ordinance (Cap 562);
  • the Broadcasting (Miscellaneous Provisions) Ordinance (Cap 391);
  • the Telecommunications Ordinance (Cap 106);
  • the Trade Descriptions Ordinance (Cap 362);
  • the Competition Ordinance (Cap 619);
  • the Registration of Local Newspapers Ordinance (Cap 268);
  • the Books Registration Ordinance (Cap 142);
  • the Film Censorship Ordinance (Cap 392); and
  • the Control of Obscene and Indecent Articles Ordinance (Cap 390).

1.2 Which bodies are responsible for enforcing the applicable laws and regulations in the media sector? What powers do they have?

Television and sound broadcasting: The Communications Authority is the independent regulatory body responsible for enforcing, overseeing and regulating the television and sound broadcasting sectors. Given the interplay between the media and the telecommunications sector, some responses below refer to the telecommunications sector as well.

The Communications Authority shares concurrent jurisdiction with the Customs and Excise Department to enforce the fair trading provisions of the Trade Descriptions Ordinance (Cap 362) in the telecommunications and broadcasting sectors.

The Communications Authority also shares concurrent jurisdiction with the Competition Commission to enforce the Competition Ordinance (Cap 619) for the telecommunications and broadcasting sectors.

The Communications Authority operates through its executive arm, called the Office of the Communications Authority (OFCA).

The Communications Authority’s powers include the power to:

  • grant, renew, regulate and monitor telecommunications and broadcasting licences;
  • manage and administer the radio frequency spectrum and the telecommunications numbers;
  • develop technical standards and conduct equipment testing in line with international best practices; and
  • conduct examination and issuing certificates for the operating personnel of radiocommunications systems.

Separately, the Communications Authority is empowered to:

  • make recommendations to the Chief Executive in Council on applications for licences;
  • grant and renew television programme licences; and
  • conduct examinations and issue certificates for the operating personnel of radiocommunications systems.

Print: The Registrar of Newspapers is the governing body in respect of the Registration of Local Newspapers Ordinance (Cap 268).

The Office for Film, Newspaper and Article Administration (OFNAA) is responsible for registering local newspapers under the Registration of Local Newspapers Ordinance (Cap 268).

The secretary for culture, sports and tourism is the governing body in respect of the Books Registration Ordinance (Cap 142).

Film: The Film Censorship Authority is the governing body in respect of the Film Censorship Ordinance (Cap 392). The Film Censorship Authority’s powers include:

  • considering films submitted and issuing certificates of exemption and approval before exhibition; and
  • assigning censors or advisers to a film.

OFNAA is responsible for enforcing its film classification system. Its powers include:

  • classifying films for public exhibition and publication, and granting exemptions from classification;
  • enforcing the age restriction for audience admission and other provisions under the Film Censorship Ordinance (Cap 392); and
  • gauging public opinions on film classification standards.

All: The Obscene Articles Tribunal is the governing body of the Control of Obscene and Indecent Articles Ordinance (Cap 390). It adjudicates “on the offensiveness of the articles voluntarily submitted to it by publishers and law enforcement agencies, or referred to it by magistracies in the course of proceedings”.

OFNAA is responsible for controlling the publication of obscene and indecent articles by enforcing the Control of Obscene and Indecent Articles Ordinance (Cap 390). Its duties include:

  • regulating the publication and public display of obscene and indecent articles; and
  • taking enforcement and prosecution actions against violations of the Control of Obscene and Indecent Articles Ordinance (Cap 390).

1.3 What is the general approach of those bodies in regulating the media sector?

According to OFCA, the Communications Authority “adopts a light-handed and pro-competition approach” to its regulatory obligations.

OFNAA closely follows the standards of taste and decency accepted by the community and reflects them in its decision making to provide a regulatory framework for film censorship, publication monitoring and local newspaper registration.

1.4 What other industry codes of conduct or best practices are applicable in the media sector?

The Communications Authority may issue codes of practice and guidelines in respect of telecommunications services and television and sound broadcasting services. Key codes of practice and guidelines issued by the Communications Authority in relation to media include guidelines for programme standards, advertising standards and exemptions from service provision requirements.

Film: The Film Censorship Authority has issued the Film Censorship Guidelines for Censors to explain how censors exercise their functions under the Film Censorship Ordinance (Cap 392).

Print: OFNAA provides helpful guidance and elaborations in respect of the Registration of Local Newspapers Ordinance (Cap 268), the film classification system under the Film Censorship Ordinance (Cap 392) and enforcement of the Control of Obscene and Indecent Articles Ordinance (Cap 390) on its website and through published guides.

2Ownership

Who is eligible to provide services in the media sector in Hong Kong? Are there any restrictions on foreign ownership? Do any domicile requirements apply? What other requirements or restrictions apply in this regard?

Sound broadcasting: Under the Telecommunications Ordinance (Cap 106), an applicant may apply for a sound broadcasting licence if:

  • it is a registered company in Hong Kong;
  • it is empowered under its articles of association to comply fully with the Telecommunications Ordinance (Cap 106) and the terms and conditions of its licence allow it to apply for a sound broadcasting licence;
  • the frequency in the radio spectrum that the applicant proposes to use is available as at the date of the application; and
  • that frequency is suitable for use in providing the proposed broadcasting service.

Certain restrictions are imposed on ‘unqualified persons’ and ‘disqualified persons’ in terms of holding a sound broadcasting licence.

An ‘unqualified person’ is a person:

  • who is not for the time being ordinarily resident in Hong Kong and who has at any time been resident for a continuous period of not less than seven years; or
  • that is not a company which is ordinarily resident in Hong Kong.

A ‘disqualified person’ can be:

  • a licensee under the Telecommunications Ordinance (Cap 106);
  • a person holding a domestic free television programme service licence or a domestic pay television programme service licence under the Broadcasting Ordinance (Cap 562), or an associate of such; and
  • a person that exercises control of a corporation that is a person referred to above.

‘Unqualified persons’ cannot hold, directly or indirectly, any right, title or interest in more than 49% of the total number of voting shares in the licensee.

‘Disqualified persons’ cannot exercise control of a corporation that is a licensee, except in exceptional circumstances granted by the Governor in Council.

There are also temporary restrictions on any disposal or acquisition of voting shares of a licensee without the prior consent of the Communications Authority.

Television broadcasting: Television broadcasting under the Broadcasting Ordinance (Cap 562) is divided into four types of services:

  • domestic free television programme services (DFT);
  • domestic pay television programme services (DPT);
  • non-domestic television programme services (NDT); and
  • other licensable television programme services (OT).

To apply for a DFT or DPT licence, the company applicant must:

  • be ordinarily resident in Hong Kong;
  • have a majority of its directors actively participate in the direction of the company;
  • have a quorum for every meeting of the directors of the company;
  • ensure that the majority of the directors of the company and the majority of the principal officers of the company are individuals, each of whom is for the time being ordinarily resident in Hong Kong and has been so resident for at least one continuous period of not less than seven years;
  • have no ‘disqualified person’, other than a person whose disqualification is disclosed;
  • be empowered under its articles of association to comply with the Broadcasting Ordinance (Cap 562) and its licence conditions; and
  • be registered under the Companies Ordinance (Cap 622).

A ‘disqualified person’ under the Broadcasting Ordinance (Cap 562) means:

  • a licensee in the same category of licence;
  • a licensee in a different category of licence;
  • a person that exercises control over a licensee mentioned above; or
  • an associate of a person that is a disqualified person as defined above.

A licensee is prohibited from exercising control over a disqualified person unless approval is given by the chief executive in Council.

To apply for an NDT or OT, the company applicant must:

  • have not less than one director or principal officer of the company who is an individual who is for the time being ordinarily resident in Hong Kong and has been so resident for at least one continuous period of not less than seven years;
  • be empowered under its articles of association to comply with the Broadcasting Ordinance (Cap 562) and its licence conditions; and
  • be a company formed and registered under the Companies Ordinance (Cap 622) or under the former Companies Ordinance.

Print and film: There are no ownership restrictions or requirements for newspapers, books or films in Hong Kong.

3. Authorisations/licences

3.1 What authorisations and/or licences are required to operate in the media sector? Do any exemptions apply? Do these vary depending on the service to be provided?

Sound broadcasting: The basic licensing requirement is that no person can establish or maintain a broadcasting service without a licence. Under the Telecommunications Ordinance (Cap 106), ‘broadcasting’ is defined as transmitting sound (otherwise than as part of a television broadcast) for general reception by means of radio waves.

The Chief Executive in Council is the competent authority with power to issue sound broadcasting licenses.

There are no exemptions in respect of obtaining a sound broadcasting licence if a company wishes to provide sound broadcasting services.

Television broadcasting: The basic licensing requirement is that no person can provide a television broadcasting service (domestic free television programme services (DFT), domestic pay television programme services (DPT), non-domestic television programme services (NDT) or other licensable television programme services (OT)) without a licence.

The Broadcasting Ordinance (Cap 562) sets out specific services that are not to be regarded as television programme services. Examples include:

  • any service provided on the Internet; and
  • any programme service exclusively between points specified by the person transmitting the programme service and the person receiving it and which is not made available to any other person.

Print: Under the Registration of Local Newspapers Ordinance (Cap 268) (RLNO), publications containing news, information and commentaries that are published at intervals not exceeding six months must be registered.

The RLNO sets out items which are not to be regarded as newspapers for the purposes of the RLNO, such as:

  • academic journals;
  • commercial circulars;
  • religious materials; and
  • sales catalogues.

The publisher of a new book must, within one month of the book being published, printed, produced or otherwise made in Hong Kong, deliver it to the secretary for registration.

The Books Registration Ordinance (Cap 142) specifies the books whose registration is not required, which include:

  • newspapers that issue their editions not less than four times a week; and
  • any books that are not made available to the public at large.

Film: A person may not exhibit a film publicly in Hong Kong unless exempted or approved by the Film Censorship Authority.

The Film Censorship Ordinance (Cap 392) provides for specific films that may be considered exempt from approval by the Film Censorship Authority. For example, a still film is exempt from approval by the Film Censorship Authority if it complies with specific requirements such as it not being exhibited for a commercial purpose.

3.2 What are the key features of such authorisations/licences?

Sound and television broadcasting: The key features of a sound or television broadcasting licence are:

  • the period of validity;
  • the payment of fees, royalties or other charges;
  • general conditions; and
  • the specific terms and conditions as specified in the licence.

Licence conditions may vary according to the types of television and sound broadcasting service, but the general conditions are:

  • to apply up-to-date technology to perfect the quality of broadcasting and comply with the broadcasting coverage requirements;
  • to handle complaints and conduct training programmes to ensure that staff are familiar with the broadcasting standards;
  • for sound broadcasting, to broadcast commercial free-to-air radio services;
  • to broadcast on radio services or on domestic free television programme services no less than a stipulated minimum amount of comprehensive news bulletins, current affairs programmes, programmes for young persons and senior citizens, arts and culture programmes and so on within a specified period of time;
  • to implement the plans on capital investment and programme development as approved by the Communications Authority; and
  • to keep proper maintenance of their equipment and transmitting stations

Specific terms and conditions for television broadcasting include:

  • potentially, a requirement to submit a duly issued performance bond in favour of the Hong Kong government;
  • compliance with the licensee’s proposal approved by the Communications Authority;
  • Separate accounting practices in accordance with the Broadcasting Ordinance (Cap 562); and
  • A requirement that the licensee and any person exercising control of the licensee be and remain a fit and proper person.

Film: If the Film Censorship Authority approves a film for exhibition and gives it a classification, the authority will issue to the person that submitted the film a certificate of approval endorsed with any condition determined by the Film Censorship Authority.

3.3 What are the procedural and documentary requirements to obtain such authorisations/licences?

Sound and television broadcasting: An applicant must:

  • complete the application form, statutory declaration, consultation form and an acknowledgment form (if required) in English or Chinese; and
  • submit these documents with supporting documents to the Communications Authority, including:
  • company information (eg, documents regarding the structure, shareholders, constitutional documents);
    • financial information;
    • programming information; and
    • technical information.

Print: The newspaper publisher or the printer of every local newspaper must deliver to the Registrar of Newspapers a copy of the newspaper within one day of publication.

The publisher of a new book must deliver, free of charge, five copies of the book to the secretary for culture, sports and tourism for registration, together with all maps, prints or other engravings contained in the book, within one month of the book being published, printed, produced or made in Hong Kong.

The publisher must also forward to the secretary in writing any particulars of the book that the secretary requires to register the relevant book.

Film: A film intended for exhibition must be submitted to the Film Censorship Authority, accompanied by:

  • a statement as to the classification which is sought for the film;
  • a declaration as to whether the film has been classified as obscene or indecent (including material that is violent, depraved or repulsive) under the Control of Obscene and Indecent Articles Ordinance (Cap 390); and
  • such forms, information and particulars as the Film Censorship Authority may determine.

A submission may be made electronically through a portal of the Office for Film, Newspaper and Article Administration.

3.4 What does the authorisation/licensing process involve? How long does it typically take? What costs are incurred?

Sound and television broadcasting: For both sound and television broadcasting licences, OFCA will examine each application to see whether all required information has been provided. If OFCA is satisfied that the applicant meets all the requirements, the Communications Authority will then consult the public on the application by publishing a notice on the Communication Authority’s website, in one English daily newspaper and in one Chinese daily newspaper.

The public may make representations on the application to the Communications Authority by a date specified in the notice, being not less than 21 days after the notice is published. The Communications Authority will consider those representations.

If the Communications Authority is satisfied that the applicant meets all the requirements set out in the legislation and all other factors relevant for the application, it will then make recommendations to the Chief Executive in Council, who will determine whether to grant the broadcasting licence to the applicant. The length of time to process an application varies, but it usually takes a minimum of one year.

If the licence is granted, the Chief Executive in Council will determine the fees or other charges (whether annual or otherwise) specified in the licence.

In respect of applications for NDT licences or OT licences, the Communications Authority will review the applications and determine whether to issue the relevant licence. In general, it takes about four months from the receipt of all required documents and clarifications of the applicant.

The prevailing annual licence fee payable for a DFT licence comprises:

  • a fixed fee of HK$4,701,400; and
  • a variable fee calculated on the basis of the aggregate duration of the television programmes provided by the licensee in the preceding licensing year at the rate of:
    • HK$13,200 per 100 hours for the first 17,000 hours; and
    • HK$1,630 per every 100 hours thereafter.

The prevailing annual licence fee payable for a DPT licence comprises:

  • a fixed fee of HK$1,533,000; and
  • a variable fee calculated by multiplying HK$4 by the number of subscribers (if any) to the service provided under the licence.

The annual licence fee payable for a Type A NDT Licence is HK$56,400. The annual licence fee payable for a Type B NDT licence is:

  • HK$74,000; and
  • a variable fee depending on the number of subscribers.

The annual licence fee payable for a Type A OT licence is:

  • HK$73,500; and
  • a variable fee depending on the number of subscribers.

The annual licence fee payable for a Type B OT licence is:

  • HK$16,800; and
  • a variable fee depending on the number of subscribers.

Film: The Film Censorship Authority will assign, as soon as practicable but in any case no later than seven working days after the film is submitted, a censor and may at the same time assign not less than two advisers.

If a film requires classification, the censor must decide on its classification within:

  • 14 days of the film’s acceptance by the Film Censorship Authority; or
  • any such longer period as the secretary for commerce and economic development may allow.

The fees payable for examination depend on the type of film and item to be examined.

3.5 What are the ongoing rights and obligations of the authorisation/licence holder? How is compliance monitored? What penalties may be imposed for breach?

Sound broadcasting: The ongoing rights of a licence holder are that the licence holder may conduct the activities set out in its licence for the validity period of the licence.

The ongoing obligations for each licence holder vary according to the specific licence in question. Common ongoing obligations include:

  • ensuring that all persons exercising control of the licence holder are fit and proper persons;
  • following conditions imposed under the licence to the satisfaction of the Communications Authority;
  • maintaining the ownership or voting control required under the Telecommunications Ordinance (Cap 106) and by the Communications Authority;
  • ensuring that its articles of association comply fully with the provisions of the Telecommunications Ordinance and the terms and conditions of its licence; and
  • supplying the Communications Authority with information upon request under the Telecommunications Ordinance (Cap 106).

The Communications Authority will monitor holders of sound broadcasting licences to ensure that they are meeting their licence conditions and regulations. The Communications Authority has the power to investigate any suspected contravention of the licence conditions, codes of practice and the Telecommunications Ordinance (Cap 106). The public can also lodge a complaint or report to the Communications Authority in respect of a sound broadcasting licence holder.

Breaches by a sound broadcasting licensee of the terms or conditions of its licence, the Telecommunications Ordinance (Cap 106), an applicable code of practice or any direction issued by the Communications Authority may result in financial penalties and a requirement for the licensee to broadcast an apology or correction.

Television broadcasting: The ongoing rights of a licence holder are that that the licence holder may conduct the activities set out in its licence for the validity period of the licence.

The ongoing obligations for each licence holder vary according to the specific licence in question. Common ongoing obligations include:

  • complying with specific and general licence conditions of the licence;
  • complying with requirements under the Broadcasting Ordinance (Cap 562);
  • comply with directions, orders, or determinations under the Broadcasting Ordinance (Cap 562) that apply to the licensee;
  • complying with applicable codes of practice;
  • securing proper standards for its licensed services with regard to television programme content and technical performance; and
  • ensuring that licensed services do not include subliminal messages.

The Communications Authority monitors television broadcasting licence holders in the same way as sound broadcasting licence holders. Breaches also attract similar penalties.

Film: The Film Censorship Authority will monitor compliance with the endorsed conditions imposed on a certificate. If a person contravenes the conditions, then the person may be subject to fines or imprisonment.

3.6 For how long is the authorisation/licence valid? Are variations to the terms possible? How is the authorisation/licence renewed?

Sound broadcasting: A sound broadcasting licence will be valid for such period as is specified in the licence or, where a period is not specified, such period as determined by the Chief Executive in Council by order.

The licence is intended to facilitate long-term business and normally the validity period of a sound broadcasting licence is up to 12 years.

The Chief Executive in Council may vary the terms and conditions of a licence.

A licence will be subject to renewal:

  • within the period of validity on such dates as specified in the licence; or
  • where not specified, on such dates as may be determined by the Chief Executive in Council by order.

The Communications Authority will submit recommendations to the Chief Executive in Council concerning the renewal of a licence. The recommendations must be made within 15 months of the date for renewal. The Chief Executive in Council may then renew the licence or renew a licence by granting a new licence in substitution (Section 13F of the Telecommunications Ordinance (Cap 106)).

Television broadcasting: A television broadcasting licence will be valid for such period as is specified in the licence.

The licence is intended to facilitate long-term business and normally the validity period of a television licence is 12 years.

The Chief Executive in Council (for DPT or DFT licences) or the Communications Authority (for NDT or OT licences) may vary a licence at any time after the licensee has been given reasonable opportunity to make representations under the Broadcasting Ordinance (Cap 562) (Section 10 of the Broadcasting Ordinance (Cap 562)). The Chief Executive in Council or Communications Authority may vary the licence without prior consent of the licensee.

A licensee may apply by application to renew or extend its licence. The application must be made within:

  • 24 months of the expiry date for the licence; or
  • such shorter period as the Communications Authority specifies.

3.7 Can an authorisation/licence be transferred? If so, what is the process for doing so?

Sound broadcasting: A sound broadcasting licence may be assigned with the prior approval of the chief executive in Council.

If the licensee wishes to assign its licence, it must first approach the Communications Authority. The Communications Authority will then analyse the assignment application and make recommendations to the Chief Executive in Council.

Television broadcasting: A licence or an interest in a television broadcasting licence may not be transferred in whole or in part.

4. Media

4.1 What rules and requirements apply to public broadcasters in Hong Kong?

For present purposes, we interpret ‘public broadcasters’ as holders of domestic free television programme service (DFT) licences.

In addition to the rules and requirements for DFT licensees (as listed in questions 2.1(c) and 3.4(c)), DFT licensees must:

  • entertain, inform and educate, and ensure that the programming is balanced in content and a comprehensive service which is responsive to the diverse needs and aspirations of the community;
  • broadcast a service in the Chinese language and another in the English language;
  • keep the aggregate time of advertising within 10 minutes per hour between the period from 5:00 pm to 11:00 pm each day; and at other times ensure that the aggregate advertising time does not exceed 18% of the total time the service is provided in that period;
  • broadcast a minimum amount of different types of programmes per week on the Chinese and English service, including:
  • news;
    • current affairs programmes;
    • documentary programmes;
    • arts and culture programmes; and
    • programmes for children, young persons and senior citizens;
  • provide subtitling for all news, current affairs programmes, weather programmes and emergency announcements;
  • ensure that nothing unsuitable for children is shown within family viewing hours (ie, between 4:00 pm and 8:30 pm), and at times when programmes are specifically targeting children or under circumstances such that a large number of children might be expected to be watching television;
  • comply with the supplementary provisions, which include:
  • the minimum broadcasting hours per day;
    • the prohibition on advertisements of a religious or political nature or concerned with industrial disputes; and
    • the annual payment of licence fee and such other fees as may be prescribed;
  • comply with any specified requirements of the Communications Authority to include in its television programme service, without charge, any educational television programme for schools supplied by the Hong Kong government;
  • broadcast, during designated periods, a minimum amount of positive programmes as may be directed by the Communications Authority;
  • provide the service in such a manner as to enable it to be received throughout Hong Kong to the satisfaction of the Communications Authority; and
  • report to the Office of the Communications Authority in the event of any outage of broadcasting services.

4.2 What rules and requirements apply to commercial broadcasters in Hong Kong?

For the purposes of this section, we interpret ‘commercial broadcasters’ as holders of domestic pay television programme service (DPT), non-domestic television programme services (NDT) or other licensable television programme services (OT) licences.

DPT: In addition to the rules and requirements for DFT licensees, DPT licensees must:

  • provide the service in such a manner as to enable it to be received throughout Hong Kong to the satisfaction of the Communications Authority (unless exempted by the Communications Authority);
  • comply with the supplementary provisions, which include the prohibition of any advertisements of a religious or political nature or concerned with industrial disputes; and
  • notify the Communications Authority in advance of all changes to channel line-ups and provide details of any new channels to be included in the service.

NDT: NDT licensees must take all reasonable steps to ensure the acceptability of their services in, and to comply with the laws and programme and advertising standards stipulated by the relevant authorities of, recipient countries and places.

DPT, NDT and OT: These licensees must provide a television programme service locking device to the satisfaction of the Communications Authority (excluding service provided to hotel rooms). A ‘locking device’ controls access to the service and prevents unauthorised access.

4.3 Do any ‘must-carry’ obligations apply in Hong Kong? If so, what are they and how are they funded?

No ‘must-carry’ obligations apply in Hong Kong. However, both DFT and DPT licensees must provide the service in such a manner as to enable it to be received throughout Hong Kong, or any specified parts of Hong Kong required by the DPT licence, to the satisfaction of the Communications Authority.

4.4 Do any local content requirements apply in Hong Kong? Do any restrictions apply to foreign content? What exemptions and/or exceptions are available?

The local content requirements are set out in questions 4.1 and 4.2 above for DFT and DPT licensees.

There are no general restrictions that apply to the content of NDT or OT licensees. The Communications Authority may provide for specific exemptions as stated in the relevant licence.

4.5 What other content requirements and restrictions apply in Hong Kong? Do these vary depending on the distribution channel (eg, traditional broadcast media versus new media)?

There are no content requirements or restrictions other than as stated above in respect of television broadcasting.

4.6 How is advertising regulated in Hong Kong? Does this vary depending on the distribution channel?

There is no general legislation to regulate advertising in Hong Kong. Advertising is regulated depending on the distribution channel.

5. Competition

5.1 What competition-related provisions (e.g., structural or functional separation requirements; significant market power requirements; media plurality rules) apply in the media sector?

The Competition Ordinance (Cap 619) governs the competition-related provisions relevant to sound broadcasting, television broadcasting and print sectors, for which the first conduct rule and the second conduct rule apply. The first conduct rule prohibits anti-competitive agreements, concerted practices and decisions. The second conduct rule prohibits the abuse of market power.

5.2 To what extent can the national competition regulator intervene in the media sector?  What is the interplay between the competition regulator and the various sectoral regulators?

Sound and television broadcasting: Under the Competition Ordinance (Cap 619), the Communications Authority is conferred concurrent jurisdiction with the Competition Commission to enforce the Competition Ordinance (Cap 619) in respect of the conduct of undertakings operating in the telecommunications and broadcasting sectors. Specifically, the Communications Authority may perform the functions of the Competition Commission under the Competition Ordinance (Cap 619) insofar as they relate to:

  • licensees under the Telecommunications Ordinance (Cap 106) or Broadcasting Ordinance (Cap 562); and
  • persons that, although not such licensees, are persons whose activities require them to be licensed under the Telecommunications Ordinance (Cap 106) or Broadcasting Ordinance (Cap 562) (Section 159 of the Competition Ordinance (Cap 619)).

The Communications Authority and the Competition Commission have signed a memorandum of understanding to coordinate the performance of their functions on which they have concurrent jurisdiction. Competition cases will be handled by the two authorities according to the arrangements set out in the memorandum of understanding.

If the matter falls within the scope of concurrent jurisdiction, the initiating authority will inform the other and determine which will be the lead authority. For cases involving the telecommunications and broadcasting sector and falling within the concurrent jurisdiction, the Communications Authority will ordinarily take the role of the lead authority and will assume responsibility for exercising the relevant powers and functions conferred upon it under the Competition Ordinance (Cap 619). The other competent authority will play a supporting role in such a manner as is appropriate or agreed, including by providing staffing support to assist the other side to the extent that resourcing allows.

If, at any point, it is not appropriate for the lead authority to continue considering a matter, the lead authority may refer the matter to the other competent authority.

Print: The Competition Commission enforces the Competition Ordinance (Cap 619) in respect of the conduct of undertakings operating in the print sector.

5.3 How are mergers and acquisitions in the media sector treated from a competition perspective?

From a competition perspective, mergers and acquisitions are not treated any differently in the sound broadcasting, television broadcasting and print sectors from other sectors in the economy.

5.4 What other specific challenges or concerns do the media sector present from a competition perspective?

From a competition perspective, the specific challenges for certain companies that wish to enter the television broadcasting or sound broadcasting industries are the restrictions on foreign ownership and domicile requirements.

6. Data security and cybersecurity

6.1 What data security regimes apply in the media sector?

The main legislative regime with provisions relating to data security is the Personal Data (Privacy) Ordinance (Cap 486) (PDPO).

Telecommunications providers are likely to be considered data users under the PDPO, and are subject to the obligations and requirements set out in the PDPO. A ‘data user’ means a person that, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

The PDPO sets out six data protection principles (DPPs):

  • DPP1: Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his or her personal data.
  • DPP2: Personal data must be accurate and up to date, and kept for no longer than necessary.
  • DPP3: Personal data should only be used for the purposes for which it was collected or a directly related purpose. Otherwise, the data user must obtain the ‘prescribed consent’ of the data subject.
  • DPP4: The data user must have measures in place to ensure the confidentiality and security of personal data.
  • DPP5: Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data is used.
  • DPP6: Data subjects must be given a right to access their personal data and a right to correct it.

DPP4 is the most relevant in respect of data security and requires data users take all practical steps to protect the personal data they hold against unauthorised and accidental access, processing, erasure, loss or use. Data users must have particular regard to:

  • the nature of the data;
  • the potential harm if such events were to happen; and
  • measures to ensure the integrity, prudence and competence of persons with access to the data.

If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent:

  • any personal data transferred to the data processor from being kept for longer than necessary for processing the data; and
  • unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.

6.2 What cybersecurity regimes apply in the media sector?

Hong Kong does not have a single overarching cybersecurity law, though this will in the coming months with the coming into law of the Protection of Critical Infrastructure (Computer System) Bill. The communications and broadcasting sectors are designated as essential services under the Bill, and the Communications Authority will be designated authority to monitor ongoing obligations of those sectors with the planned statutory requirements.

Currently, offences relating to cybersecurity are contained in various laws.

Telecommunications Ordinance (Cap 106): The Telecommunications Ordinance (Cap 106) criminalises actions involving:

  • damage to telecommunications infrastructure with intent;
  • unauthorised access to computers by telecommunications; and
  • transmission of false or deceptive distress messages.

Crimes Ordinance (Cap 200): The Crimes Ordinance (Cap 200) criminalises access to a computer with criminal or dishonest intent.

PDPO: The PDPO provides for offences for the disclosure of personal data without consent, among other things.

Unsolicited Electronic Messages Ordinance (Cap 593): This criminalises the initiation of transmissions of multiple commercial electronic messages from telecommunications devices that are accessed without authorisation and with the intent to deceive or mislead recipients as to the source of the messages.

Interception of Communications and Surveillance Ordinance (Cap 589): Subject to limited exceptions, it is unlawful for a public officer to carry out intercepting acts relating to communications. ‘Intercepting acts’ involve the inspection of some or all of the contents of the communication, in the course of its transmission by a postal service or by a telecommunications system, by a person other than its sender or intended recipient. One relevant exemption is that the prohibition does not apply to any interception of telecommunications transmitted by radiocommunications (other than the radiocommunications part of a telecommunications network for the provision of a public telecommunications service by any carrier licensee under the Telecommunications Ordinance (Cap 106)).

Enforcement: There is no single authority responsible for enforcing cybersecurity laws in Hong Kong. Rather, the competent enforcement authority will depend on the nature of the offence in question.

The Hong Kong Police Force is the enforcement authority for crime in Hong Kong. The Cybersecurity and Technology Crime Bureau is responsible for:

  • handling cybersecurity issues;
  • carrying out technology crime investigations and computer forensic examinations; and
  • preventing technology crime.

The PCPD is the competent authority for regulation of personal data matters, and will conduct investigations and issue enforcement notices.

The commissioner on interception of communications and surveillance is responsible for overseeing compliance by law enforcement agencies and their officers with the relevant requirements under the ICSO.

Policy: At a policy level, information security and cybersecurity fall under the remit of the Office of the Government Chief Officer (OGCIO). Its work involves the following:

  • The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is the centralised contact on computer and network security incident reporting and response for local businesses and internet users in case of security incidents.
  • The Cybersec Infohub is a partnership programme to promote closer collaboration among local information security stakeholders in different sectors to share cybersecurity information and jointly defend against cyberattacks. It is not intended for cybersecurity incident reporting, which is the role of HKCERT.
  • The OGCIO has established an information security website portal to facilitate the public’s access to various information security-related resources and updates.

6.3 What other specific challenges or concerns do the media sector present from a data security/cybersecurity perspective?

Operators in the media sector must consider requests from enforcement authorities to obtain access to communications, and this can be an area of concern or challenge.

In general, the Hong Kong police do not have the authority to conduct indiscriminate surveillance or search or seizure of data without prior authorisation.

Search and seizure with warrant: A warrant overrides any right to refuse disclosure on the basis of the PDPO and any contractual confidentiality obligations owed to third parties. However, there is no obligation to provide or disclose information or material that is subject to legal professional privilege.

Persons that fail to cooperate with enforcement authorities without a reasonable excuse commit an offence and may be criminally liable and arrested for obstructing the police in the execution of their lawful duties. Also, a number of offences are committed for failing to comply with court orders to provide access to information or prejudicing investigations.

Search and seizure without warrant: Warrants must generally be granted by the judiciary before police officers can carry out search and seizures at a specific site. However, in certain situations, a senior police officer may also authorise officers to carry out a search without a warrant or perform covert surveillance operations in circumstances where it is not reasonably practicable to obtain authorisation.

Covert interception of communication: The Hong Kong police may intercept communications or conduct covert surveillance upon obtaining authorisation from:

  • a designated authorising officer, for less intrusive covert surveillance operations; or
  • a panel judge, for more intrusive covert surveillance operations

The purpose of the operation must be confined to the prevention or detection of serious crimes or the protection of public security. In addition, the tests of proportionality and necessity must be met, including the requirement that the purpose of the operation cannot reasonably be fulfilled by other less intrusive means. Any application for authorisation must state a specific serious crime or threat to public security.

The National Security Law provides similar legislative power for the Hong Kong police to carry out covert interception of communication or surveillance. The application procedure and the criteria required are largely identical to those of the ICSO, except:

  • an application under the National Security Law must relate to an offence of endangering national security; and
  • applications made under the National Security Law are generally made to the chief executive or the commissioner of police in emergency situations (rather than a panel judge).

Disclosure of personal data: Exemptions are specified in the PDPO in which data users can disregard certain provisions. Data users may disclose personal data to law enforcement agencies, such as the Hong Kong police, if the use of personal data by the law enforcement agencies is for:

  • the prevention or detection of crime; or
  • the apprehension, prosecution or detention of offenders.

However, simply because a law enforcement agency requests personal data does not mean that data users can provide the data requested without complying with DPP3 (which relates to the use of personal data for a new purpose).

Data users must consider whether non-provision of the data would be so serious as to be likely to prejudice the purposes for which it is collected. The view taken by the PCPD is that it is prudent for data users to make enquiries with the law enforcement agency on:

  • the purpose for which the personal data is collected;
  • the reasons why the personal data concerned is relevant; and
  • the reasons why the data subject’s consent should not be obtained by the enforcement agency.

7. Trends and predictions

What are the legislative trends and developments in Hong Kong for the broadcasting and media sector?

Digital television broadcasting: The Hong Kong government has promoted the use of innovative technologies to provide a conducive environment for the development of broadcasting industry.

For example, Hong Kong implemented full digital television broadcasting on 1 December 2020. To tie in with the implementation of full digital television broadcasting, the government launched the Community Care Fund Digital Television Assistance Programme from 14 January 2020 to 15 July 2021 to help needy analogue television households to purchase digital television sets or set-top boxes, so that they could continue to watch free television after the implementation of full digital television broadcasting.

National Security: The National Security Law and Safeguarding National Security Ordinance govern national security protection in Hong Kong. Media outlets continue to take care to manage the risk of possible non-compliance with these laws.

Cybersecurity: The Protection of Critical Infrastructure (Computer System) Bill will likely be considered and passed by the Legislative Council within 2024. The Commissioner’s Office proposed under the legislation will be established within the Security Bureau within one year from passing of the legislation, and the legislation will come into force six months after.

8. Tips and traps

What are your top tips for new entrants seeking to operate in the broadcasting and media sector in Hong Kong?

The foreign ownership restrictions and domicile requirements to obtain a domestic free television programme services, domestic pay television programme services or sound broadcasting licence are a potential obstacle, although not necessarily unusual in broadcasting. That said, there is no cap on the number of television broadcasting licences that can be granted, subject to physical and technological constraints.

The Hong Kong government has also adopted an ‘open sky’ policy. Through satellite master antenna television (SMATV) and television receive-only systems, Hong Kong viewers can receive satellite TV channels that are intended for general reception as uplinked from Hong Kong and elsewhere.

According to the Commerce and Economic Development Bureau of Hong Kong, more than 600 such free-to-air satellite channels are now available for reception in Hong Kong. Over 770,000 premises in multi-storey buildings have access to satellite television channels through their SMATV systems.

Pádraig Walsh and Tara Chan

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 08 January 2025.

Padraig WalshLatest NewsNews & MediaLegal Updates

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026

Home

text

Jan 06 2025

Litigation involving Decentralised Autonomous Organizations (DAOs) continues to be a rare occurrence, as legal frameworks surrounding cryptocurrency and blockchain technologies continue to evolve. The case of Mantra Dao Inc. and Another v. John Patrick Mullin and Others [2024] HKCFI 2099 presents a unique scenario, shedding light on how the Courts may approach legal issues relating to the ownership of and governance within a decentralised finance platform. Pádraig Walsh and Oliver Lam from our Fintech practice explain more.

The Plaintiffs’ claims

The dispute centres on the Mantra DAO project. The First and Second Plaintiffs claim they originally conceived and developed the Mantra DAO project, and believe that the project should ultimately be controlled and managed by them. They entrusted daily management to the Defendants, who were employees of the Second Plaintiff.

The Plaintiffs claim that the Defendants began treating the project as their own, and ultimately misappropriated the project and its business and assets from the Plaintiffs. The Plaintiffs further alleged that the Defendants made various “unaccounted-for” withdrawals from a cryptocurrency account belonging to the First Plaintiff.

The Defendants’ responses

In their defense, the Defendants argued that the project was not owned by any single entity, but instead operated under a governance model where decision-making power resided with OM token holders, and not by single individuals or entities.

The first Plaintiff and a Seychelles foundation were formed for the project, but were not intended to hold assets of the project as beneficial owners. Rather, the Defendants claim that the role of both the first Plaintiff and the Seychelles foundation was to hold those assets for the benefit of OM token holders.

The Seychelles foundation was governed by members of a council. The Defendants claim that the councillors were granted authority under the White Paper for the project to act on behalf of the project and OM token holders, including by votes of OM token holders under governance rights granted to them. The 1st to 4th Defendants were elected by OM token holders as Councillors; representatives of the 2nd Plaintiffs did not seek re-election. The Councillors had the authority to deal with assets of the project, including the withdrawals in dispute, and those withdrawals were for legitimate business purposes.

Court’s Findings

This reported decision was in respect of the Plaintiffs interim application for a disclosure order to inspect the project’s financial records held by the Defendants dating back to January 2021. The Plaintiffs had previously lost an application for more wide-ranging interim injunctions and disclosures. The application was narrowed to seek the disclosure of books and records. The Court did not hear witness evidence, and the full range of issues between the parties was not under consideration. Instead, the Court needed to decide if there were serious issues to be tried in respect of the claims, and if so, whether the balance of convenience favoured granting the more limited disclosure order requested by the Plaintiffs.

The Court ultimately granted the disclosure order requested by the Plaintiffs. Lok J. acknowledged that damages would not be an adequate remedy if the application was refused. As the Plaintiffs’ claim was for ownership, management and control of the project, the Plaintiffs needed visibility on the project’s financial operations in order to quantify loss or make claims in respect of the Defendants’ actions.

Interestingly, Lok J. commented that the managers of the project should be under some kind of duty to keep proper accounts, and granting the order would promote the healthy operations of the business. He rejected that this would impose an undue burden on the Defendants, as it was a duty the Councillors owed in any event to OM token holders.

Key Takeaways

This is a judgement at an interim stage in legal proceedings. The judgement does not give any indication of the likely outcome at trial of the claims by the parties.

Nonetheless, the case draws the veil back on typical structures used for DAOs, and the complexities surrounding their governance, and ownership of and rights to DAO assets. If this dispute does proceed to trial, it will be interesting to have the legal arrangements in respect of Mantra DAO analysed, argued and decided upon

Lok J. reserved any consideration of the legal effects of the Governance Agreement, White Paper, Management Agreement and Employment Agreements until those matters are fully investigated at trial. These are still the kind of documents that DAO projects use to document their operations. Those seeking best practice guidance will benefit from a Court’s consideration, interpretation and ruling on those documents.

A full trial and judgement may also address some running issues in the DAO community. What is the scope of duty of councillors of a foundation entrusted to govern DAO operations? How is the source of their authority derived or granted? To what extent can preliminary documents, such as White Papers, grant authority in respect of a contemplated governance structure? What is the personal liability of councillors for breach of duty? Who actually owns DAO assets?

The legal frameworks for DAOs continue to develop. Given the value of assets involved, the situation is ripe for more litigation in the future. This will ultimately lead to best (or better) practice guidance for the DAO community. In the meantime, the concrete takeaway from the interim ruling in this case is that councillors of DAO foundations should be mindful of the expectation of Hong Kong courts that they must maintain proper accounting records – even in respect of decentralised projects.

Pádraig Walsh and Oliver Lam

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | [email protected]

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 06 January 2025.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

Jan 02 2025

There is never a dull moment in data privacy and protection. The global landscape is becoming increasingly complex with overlapping regulation and lack of international convergence. Although Hong Kong does not have these issues yet”,” 2024 witnessed some significant developments in 2024″,” setting the stage for an eventful 2025. In this article”,” Pádraig Walsh from our Data Privacy team highlights three key developments in 2024 and previews three potential highlights for the year ahead.

2024 in review

PCPD publishes “Artificial intelligence: Model personal data protection framework”

Governments and regulators around the world have been grappling with the ethical”,” legal and societal issues arising from the increasing development and deployment of generative artificial intelligence (AI) systems. The EU has adopted the EU AI Act”,” a general law that positions AI as a category of product regulation. The law applies to artificial intelligence systems and general-purpose AI models in all sectors and domains”,” subject to certain exceptions. Outside of the EU”,” most jurisdictions are presently avoiding general laws”,” and are regulating or providing guidance on AI in the context in which it is used. This is mostly through existing legal frameworks”,” but sometimes also supplemented by specific regulations. Hong Kong has pursued this context-based approach to regulation of AI”,” and the Office of the Privacy Commissioner for Personal Data (PCPD) has taken the lead.

On 11 June 2024″,” the PCPD released its comprehensive Model Personal Data Protection Framework [link]”,” providing recommendations and best practices for the governance of AI and protection of personal data privacy for organisations that procure”,” implement and use AI systems. Those recommendations include four key measures”,” being:

1. Establish AI strategy and governance;

2. Conduct risk assessment and human oversight;

3. Implement continuous management of AI systems; and

4. Communicate and engage with stakeholders.

The AI Model Personal Data Protection Framework is a key document for business in Hong Kong to review”,” consider and implement. It will become a touchstone for the PCPD in future guidelines”,” policies and enforcement action.

PCPD findings on the operation of the Worldcoin project in Hong Kong

The PCPD was very active in investigating and reporting on data breaches among government and public institutions in 2024. However”,” perhaps the most engaging report was the PCPD investigation into the operation of the Worldcoin project in Hong Kong [link]. It was the moment when the fast and loose world of cryptocurrency met the will and might of global privacy regulators “_x0093_ including in Hong Kong.

Participants of the Worldcoin project needed to allow the relevant organisation collect their face and iris images through iris scanning to verify their humanness and generate iris codes. The participants then obtained a registered identity or digital passport”,” after which the participants would be able to receive Worldcoin tokens at regular intervals for free. 8″,”032 persons showed up at six premises across Hong Kong and scanned their irises and faces.

The PCPD was not amused. Some of the contraventions included:

The PCPD served an enforcement notice on Worldcoin Foundation”,” directing it to cease all operations of the Worldcoin project in Hong Kong in scanning and collecting iris and face images of members of the public using iris scanning devices.

PCPD compliance check on use of AI

We also liked the compliance check report published by the PCPD in February 2024 [link] on the use of AI by 28 organisation from various sectors”,” including telecommunications”,” finance and insurance”,” beauty services”,” retail”,” transportation and education sectors”,” and government departments. The findings included:

No contravention of the Personal Data (Privacy) Ordinance (PDPO) was identified during the compliance check process.

It would be an interesting trend assessment if this compliance check became an annual exercise.

2025 in prospect

Protection of Critical Infrastructure (Computer Systems) Bill

If privacy lawyers in Hong Kong focused a lot on AI governance in 2024″,” the new cybersecurity law will be a key focus for 2025. The Government published the Protection of Critical Infrastructures (Computer Systems) Bill in the Gazette on 6 December 2024″,” and introduced it into the Legislative Council for First Reading and Second Reading on 11 December 2024 [link]. Once the Bill is passed”,” the government intends to set up a new Commissioner”_x0099_s Office with professionals from the Digital Policy Office and the Police within a year for the implementation of the proposed legislation”,” with new regulations coming into effect six months after that.

The Security Bureau has stated that the proposed legislation will only require operators of critical infrastructure to bear the responsibility for securing their critical computer systems”,” and does not target personal data nor commercial secrets contained within those systems [link]. Nonetheless”,” the governance framework that critical infrastructure operators must adopt”,” and the incident reporting and response obligations”,” are areas of expertise for privacy practitioners.

Key highlights of the proposed legislation include:

Some issues continue to attract attention and debate”,” including the extent of certain enforcement powers and extra-territorial considerations. Nonetheless”,” this new legislation in the Hong Kong firmament has been generally welcomed”,” and organisations are busying themselves to be fully prepared once the legislation takes effect.

GBA Cross-Boundary Data Flow

Future economic development in Hong Kong will be even more closely linked to its economic integration with the rest of China. Various initiatives across a number of spheres of activity have been launched to facilitate greater ease of movement of goods”,” people “¦ and data.

Hong Kong is a different legal jurisdiction to Mainland China. The laws of Hong Kong and Mainland China on the transfer of personal data from the respective jurisdictions are very different. The requirements for the transfer of personal information from Mainland China to other locations are more strict and procedural than is the corresponding case in Hong Kong. So”,” facilitating data flow in the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) is an important initiative for the development of the economy in Hong Kong and the GBA generally.

Starting from 1 November 2024″,” the Standard Contract for Cross-Boundary Flow of Personal Information (“GBA Standard Contract“) has been extended to cover all companies registered or located in nine GBA cities or Hong Kong SAR. This move streamlines the safe and convenient transfer of personal data within the GBA. Additionally”,” restrictions on the maximum amount of personal data which can be transferred have been lifted”,” and the filing process has been shortened. The number of data protection due diligence areas reduced from six categories to three.

This is a significant advance and addresses some concerns raised by businesses during the previous trial period of the initiative. 2025 could be the year that adoption of the GBA Standard Contract becomes more widespread.

Piecemeal PDPO updates

It”_x0099_s the hope that kills you. On 20 January 2020″,” the Constitutional and Mainland Affairs Bureau”,” in collaboration with the PCPD”,” reported on recommended changes to the PDPO. Proposed changes included a mandatory data breach notification requirement”,” new data retention obligations”,” and the power for the PCPD to issue administrative fines for non-compliance. In February 2024″,” the Privacy Commissioner reported at the Legislative Council on Constitutional Affairs that the PCPD was working alongside the Government to review the PDPO to strengthen data protection in Hong Kong. All was on track”,” albeit a rather longer track than expected.

However”,” at a Legislative Council meeting on 21 October 2024 [link]”,” the Secretary for Constitutional and Mainland Affairs stated that these reforms are presently on hold. There are concerns about the potential financial strain on small businesses in the current economic climate. Instead”,” a piecemeal approach may be used to roll out amendments. The hope is that this might mitigate the impact of legislative changes on local enterprises.

It is unclear whether and when the government will resume its efforts to amend the PDPO. We are optimists. We will still include this in our list of things to look forward to in 2025.

Conclusion

Hong Kong may not be the most active jurisdiction in legislative reform. However”,” Hong Kong has an active privacy regulator that provides significant guidance across many key data privacy issues”,” and also conducts a broad range of compliance checks”,” investigations and enforcement actions. We have much to keep track of and to look forward to in the coming 12 months.

Pádraig Walsh and Vanessa Leung

If you want to know more about the content of this article”,” please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last reviewed on 02 January 2025.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

Nov 14 2024
Home

text

Oct 02 2024

1. Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern social media in Hong Kong?

The most relevant legislative and regulatory provisions in respect of social media are the following:

  • the Personal Data (Privacy) Ordinance (Cap 486) (PDPO);
  • the UEMO (Cap 593); and
  • the Law of the People’s Republic of China on Safeguarding National Security in the Hong Kong Special Administrative Region (“National Security Law”).

1.2 Which bodies are responsible for enforcing the applicable laws and regulations in the social media sector? What powers do they have?

Office of the Privacy Commissioner for Personal Data (PCPD): The PCPD has the power to:

  • monitor and supervise compliance with the provisions of the PDPO;
  • promote and assist bodies representing data users to facilitate lawful and responsible use of personal data; and
  • carry out inspections, including inspections of any personal data systems used by data users which are departments of the Hong Kong government or statutory corporations.

The Office for Safeguarding National Security of the Central People’s Government in the Hong Kong Special Administrative Region (‘CPG Office on National Security’): The CPG Office on National Security is the state security agency. Established in July 2020, it is responsible for overseeing, guiding, coordinating with and providing support to the Hong Kong government to safeguard national security in accordance with the National Security Law.

National Security Department of the Hong Kong Police Force: Subject to the approval of the secretary for security, the commissioner of police may authorise a designated officer to exercise powers to disable or remove electronic messages if the commissioner has reasonable grounds to suspect that:

  • a person has published an electronic message on an electronic platform; and
  • the publication is likely to constitute an offence endangering national security or is likely to cause the occurrence of an offence endangering national security.

Communications Authority: The Communications Authority is the body responsible for enforcing the UEMO in respect of unsolicited electronic messages. Under the UEMO, the Communications Authority’s powers include the power to:

  • approve codes of practice;
  • establish do-not-call registers;
  • impose financial penalties; and
  • issue enforcement notices.

1.3 What is the general approach of those bodies in regulating the social media sector?

PCPD: The PCPD maintains the efficacy of the regulatory regime on personal data privacy, taking into account global standards for the protection of personal data privacy.

CPG Office on National Security: The CPG Office on National Security’s general approach is reflected in Article 1 of the National Security Law and is, among other things, to safeguard national security.

Communications Authority: According to OFCA, the Communications Authority “adopts a light-handed and pro-competition approach”to its regulatory obligations.

1.4 What other industry codes of conduct or best practices are applicable in the social media sector?

PCPD: The PCPD may issue codes of practice, guidelines and guidance notes in respect of the PDPO and other relevant data privacy regulations in Hong Kong. Non-compliance with a code of practice can be used as proof of contravention of relevant requirements under the PDPO.

Communications Authority: The Communications Authority have issued codes of practice and guidelines for the purpose of providing practical guidance in respect of the application or operation of any provision of the UEMO.

2. Ownership

Who is eligible to provide services in the social media sector in Hong Kong? Are there any restrictions on foreign ownership? Do any domicile requirements apply? What other requirements or restrictions apply in this regard?

The provision of social media in Hong Kong is fully liberalised. There are no restrictions or requirements on foreign ownership for providing social media services in Hong Kong.

3. Authorisations/licences

What authorisations and/or licences are required to operate in the social media sector? Do any exemptions apply? Do these vary depending on the service to be provided?

No authorisations or licences are required for social media service providers to operate in Hong Kong.

4. Competition

4.1 What competition-related provisions (e.g., structural or functional separation requirements; significant market power requirements; media plurality rules) apply in the social media sector?

The Competition Ordinance (Cap 619) governs the competition-related provisions relevant to sound broadcasting, television broadcasting and print sectors, for which the first conduct rule and the second conduct rule apply. The first conduct rule prohibits anti-competitive agreements, concerted practices and decisions. The second conduct rule prohibits the abuse of market power.

4.2 To what extent can the national competition regulator intervene in the social media sector? What is the interplay between the competition regulator and the various sectoral regulators?

The Competition Commission enforces the Competition Ordinance (Cap 619) in respect of the conduct of undertakings operating in the social media sector. There is no specific social media sector regulator.

4.3 How are mergers and acquisitions in the social media sector treated from a competition perspective?

From a competition perspective, mergers and acquisitions are not treated differently in the social media sector from other sectors in the economy.

5. Data security and cybersecurity

5.1 What data security regimes apply in the social media sector?

The main legislative regime with provisions relating to data security is the Personal Data (Privacy) Ordinance (Cap 486) (PDPO).

Telecommunications providers are likely to be considered data users under the PDPO, and are subject to the obligations and requirements set out in the PDPO. A ‘data user’ means a person that, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

The PDPO sets out six data protection principles (DPPs):

  • DPP1: Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his or her personal data.
  • DPP2: Personal data must be accurate and up to date, and kept for no longer than necessary.
  • DPP3: Personal data should only be used for the purposes for which it was collected or a directly related purpose. Otherwise, the data user must obtain the ‘prescribed consent’ of the data subject.
  • DPP4: The data user must have measures in place to ensure the confidentiality and security of personal data.
  • DPP5: Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data is used.
  • DPP6: Data subjects must be given a right to access their personal data and a right to correct it.

DPP4 is the most relevant in respect of data security and requires data users take all practical steps to protect the personal data they hold against unauthorised and accidental access, processing, erasure, loss or use. Data users must have particular regard to:

  • the nature of the data;
  • the potential harm if such events were to happen; and
  • measures to ensure the integrity, prudence and competence of persons with access to the data.

If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent:

  • any personal data transferred to the data processor from being kept for longer than necessary for processing the data; and
  • unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.

The PCPD has published a guidance note for mobile service operators in respect of personal data concerns. The guidance covers recommended best practices in:

  • handling mobile phone service applications;
  • audio-recording customer conversations;
  • maintaining customer service accounts;
  • disclosing customer account data;
  • protecting service account data; and
  • engaging third-party agents and dealers.

Also, telecommunications operators that are licensees are prohibited from disclosing information about a customer, except with the consent of the customer in accordance with a prescribed form designated by the Communications Authority, except:

  • for the prevention or detection of crime;
  • for the apprehension or prosecution of offenders; or
  • as may be authorised by or under any law.

5.2 What cybersecurity regimes apply in the social media sector?

Hong Kong does not have a single overarching cybersecurity law, though this will in the coming months with the coming into law of the Protection of Critical Infrastructure (Computer System) Bill. The communications and broadcasting sectors are designated as essential services under the Bill, and the Communications Authority will be designated authority to monitor ongoing obligations of those sectors with the planned statutory requirements.

Currently, offences relating to cybersecurity are contained in various laws.

Telecommunications Ordinance (Cap 106): The Telecommunications Ordinance (Cap 106) criminalises actions involving:

  • damage to telecommunications infrastructure with intent;
  • unauthorised access to computers by telecommunications; and
  • transmission of false or deceptive distress messages.

Crimes Ordinance (Cap 200): The Crimes Ordinance (Cap 200) criminalises access to a computer with criminal or dishonest intent.

PDPO: The PDPO provides for offences for the disclosure of personal data without consent, among other things.

Unsolicited Electronic Messages Ordinance (Cap 593): This criminalises the initiation of transmissions of multiple commercial electronic messages from telecommunications devices that are accessed without authorisation and with the intent to deceive or mislead recipients as to the source of the messages.

Interception of Communications and Surveillance Ordinance (Cap 589): Subject to limited exceptions, it is unlawful for a public officer to carry out intercepting acts relating to communications. ‘Intercepting acts’ involve the inspection of some or all of the contents of the communication, in the course of its transmission by a postal service or by a telecommunications system, by a person other than its sender or intended recipient. One relevant exemption is that the prohibition does not apply to any interception of telecommunications transmitted by radiocommunications (other than the radiocommunications part of a telecommunications network for the provision of a public telecommunications service by any carrier licensee under the Telecommunications Ordinance (Cap 106)).

Enforcement: There is no single authority responsible for enforcing cybersecurity laws in Hong Kong. Rather, the competent enforcement authority will depend on the nature of the offence in question.

The Hong Kong Police Force is the enforcement authority for crime in Hong Kong. The Cybersecurity and Technology Crime Bureau is responsible for:

  • handling cybersecurity issues;
  • carrying out technology crime investigations and computer forensic examinations; and
  • preventing technology crime.

The PCPD is the competent authority for regulation of personal data matters, and will conduct investigations and issue enforcement notices.

The commissioner on interception of communications and surveillance is responsible for overseeing compliance by law enforcement agencies and their officers with the relevant requirements under the ICSO.

Policy: At a policy level, information security and cybersecurity fall under the remit of the Office of the Government Chief Officer (OGCIO). Its work involves the following:

  • The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) is the centralised contact on computer and network security incident reporting and response for local businesses and internet users in case of security incidents.
  • The Cybersec Infohub is a partnership programme to promote closer collaboration among local information security stakeholders in different sectors to share cybersecurity information and jointly defend against cyberattacks. It is not intended for cybersecurity incident reporting, which is the role of HKCERT.
  • The OGCIO has established an information security website portal to facilitate the public’s access to various information security-related resources and updates.

5.3 What other specific challenges or concerns do the social media sector present from a data security/cybersecurity perspective?

Operators in the social media sector must consider requests from enforcement authorities to obtain access to communications, and this can be an area of concern or challenge.

In general, the Hong Kong police do not have the authority to conduct indiscriminate surveillance or search or seizure of data without prior authorisation.

Search and seizure with warrant: A warrant overrides any right to refuse disclosure on the basis of the PDPO and any contractual confidentiality obligations owed to third parties. However, there is no obligation to provide or disclose information or material that is subject to legal professional privilege.

Persons that fail to cooperate with enforcement authorities without a reasonable excuse commit an offence and may be criminally liable and arrested for obstructing the police in the execution of their lawful duties. Also, a number of offences are committed for failing to comply with court orders to provide access to information or prejudicing investigations.

Search and seizure without warrant: Warrants must generally be granted by the judiciary before police officers can carry out search and seizures at a specific site. However, in certain situations, a senior police officer may also authorise officers to carry out a search without a warrant or perform covert surveillance operations in circumstances where it is not reasonably practicable to obtain authorisation.

Covert interception of communication: The Hong Kong police may intercept communications or conduct covert surveillance upon obtaining authorisation from:

  • a designated authorising officer, for less intrusive covert surveillance operations; or
  • a panel judge, for more intrusive covert surveillance operations

The purpose of the operation must be confined to the prevention or detection of serious crimes or the protection of public security. In addition, the tests of proportionality and necessity must be met, including the requirement that the purpose of the operation cannot reasonably be fulfilled by other less intrusive means. Any application for authorisation must state a specific serious crime or threat to public security.

The National Security Law provides similar legislative power for the Hong Kong police to carry out covert interception of communication or surveillance. The application procedure and the criteria required are largely identical to those of the ICSO, except:

  • an application under the National Security Law must relate to an offence of endangering national security; and
  • applications made under the National Security Law are generally made to the chief executive or the commissioner of police in emergency situations (rather than a panel judge).

Disclosure of personal data: Exemptions are specified in the PDPO in which data users can disregard certain provisions. Data users may disclose personal data to law enforcement agencies, such as the Hong Kong police, if the use of personal data by the law enforcement agencies is for:

  • the prevention or detection of crime; or
  • the apprehension, prosecution or detention of offenders.

However, simply because a law enforcement agency requests personal data does not mean that data users can provide the data requested without complying with DPP3 (which relates to the use of personal data for a new purpose).

Data users must consider whether non-provision of the data would be so serious as to be likely to prejudice the purposes for which it is collected. The view taken by the PCPD is that it is prudent for data users to make enquiries with the law enforcement agency on:

  • the purpose for which the personal data is collected;
  • the reasons why the personal data concerned is relevant; and
  • the reasons why the data subject’s consent should not be obtained by the enforcement agency.

6. Trends and predictions

What are the legislative trends and developments in Hong Kong for the social media sector?

Doxxing offences: New laws criminalising doxing came into force on 8 October 2021. When doxxing occurs on or via social media platforms, service providers and companies may receive a cessation notice from the Office of the Privacy Commissioner for Personal Data (PCPD) requesting them to remove the doxxing message(s). Given that contravention of a cessation notice constitutes a criminal offence under the Personal Data (Privacy) Ordinance (Cap 486), it is critical for social media service providers to put in place internal policies to assess and respond to enforcement requests.

As of the end of December 2022, the PCPD had:

  • written more than 400 times to request the operators of a total of 18 websites, online social media platforms and discussion forums to remove more than 7,400 web links involving doxing; and
  • issued 1,500 cessation notices to 26 online platforms, requesting them to remove over 17,700 web links involving doxxing.

Consultation on cybercrime reform: On 20 July 2022, the Cybercrime Sub-committee of the Hong Kong Law Reform Commission published a consultation paper with its recommendations to introduce five new cybercrimes into law in Hong Kong. The proposed new cybercrime offences are:

  • illegally accessing a computer program or data;
  • illegally intercepting computer data;
  • illegally interfering with computer data;
  • illegally interfering with a computer system; and
  • making available or possessing a device or data for committing a crime.

Copyright (Amendment) Ordinance 2022: The Copyright (Amendment) Ordinance 2022 came into operation on 1 May 2023, with the aim of strengthening copyright protection in the digital environment in Hong Kong.

The main aims of the Copyright Amendment Ordinance are to:

  • create an exclusive technology-neutral communication right for copyright owners to communicate their works to the public through any mode of electronic transmission;
  • introduce criminal sanctions against individuals who make unauthorised communication of copyright works to the public for profit or to prejudice copyright owners;
  • expand the scope of new copyright exceptions to allow for the use of copyright works in certain common internet activities;
  • introduce safe harbour provisions to limit online service providers’ liability; and
  • introduce two additional statutory factors for courts to consider when determining whether to award additional damages to copyright owners for copyright infringements.

Specifically, the Copyright Amendment Ordinance includes provisions that are intended to limit the liability of online service providers, provided that they can demonstrate that they took reasonable steps to limit or stop the copyright infringement as soon as practicable after receiving a notice of alleged infringement.

Copyright amendment proposal for AI technology: Under the existing Copyright Ordinance in Hong Kong, works generated by generative artificial intelligence are likely protected by copyright. Legislative proposals are presently being considered to provide more certainty and to allow for an exception for reasonable use of copyright works analysis and processing for the AI model training.

Combating false information: The Hong Kong government is considering implementing legislative reforms to tackle the issue of false information. In November 2021, the Hong Kong Home Affairs Bureau (HAB) commissioned a consultant to study legislation enacted in overseas jurisdictions for regulating disinformation and propose effective recommendations for legislative reform. The HAB has not yet published the research conclusions. In May 2022, the secretary for security reported to the Legislative Council of Hong Kong that the HAB is still undergoing its process with the commissioned consultancy. These legislative changes, once proposed and implemented, will subject online service providers, including social media platforms, to tighter compliance standards to regulate disinformation.

National Security: The National Security Law and Safeguarding National Security Ordinance govern national security protection in Hong Kong. Social media operators continue to take care to manage the risk of possible non-compliance with these laws.

Cybersecurity: The Protection of Critical Infrastructure (Computer System) Bill will likely be considered and passed by the Legislative Council within 2024. The Commissioner’s Office proposed under the legislation will be established within the Security Bureau within one year from passing of the legislation, and the legislation will come into force six months after.

7. Tips and traps

What are your top tips for new entrants seeking to operate in the social media sector in Hong Kong?

The social media industry in Hong Kong remains relatively liberalised, with no foreign ownership restrictions. Nevertheless, the risk environment for businesses in social media is changing in Hong Kong. Social media operators are advised to take early steps to:

  • understand the provisions of national security laws and the Personal Data (Privacy) Ordinance (Cap 486) (especially in relation to anti-doxxing measures);
  • assess the relevant impacts on their businesses; and
  • adopt policies accordingly.

They should also seek professional advice as necessary to strike an appropriate balance between cooperation with enforcement authorities and protection of user privacy.

Pádraig Walsh and Tara Chan

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner |[email protected]

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 02 October 2024.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

May 08 2024

Decentralised Autonomous Organisations (DAOs) are an emerging method for organising community based activities using blockchain technology. In the final article in this series exploring legal issues related to DAOs in Hong Kong, Pádraig Walsh from the Digital Services and Fintech practice of Tanner De Witt look to the future and considers best practices for DAO governance going forward.

Education

DAO developers typically come from a technology background, and frequently do not have a good understanding of legal and regulatory requirements. It is a common fallacy of tech developers to believe that if innovation makes a course of action possible, then so it shall be done. This is not the case, however, in respect of DAO activities that give rise to legal risks or breach mandatory laws such as securities laws.

Education driven by the financial services sector has achieved a degree of success in respect of certain aspects of daily life. For instance, it is rarely challenged now when personal identification information is requested for know your customer (KYC) reasons in many walks of life. It is simply considered a fact of life. It would be a success if the myth could be dispelled in DeFi circles that decentralisation and smart contracts mean regulation does not apply.

When founders establish and incorporate a business in the real world, there is a basic understanding that incorporation is a significant event with legal consequences. A DAO is not just an IT project. It is also a significant event with legal consequences. DAO founders and developers should understand those legal consequences, and address risks in the design and implementation of their work.

Adoption of DAO constitutions

Efforts should continue to outline best practices for DAOs and to promote initiatives that provide greater clarity to DAO participation, and how governance and decision processes should be conducted. Very few DAOs presently prepare a constitution that outlines this. The attempt to consider, craft and then code governance processes is a better approach than not actively considering this at all.

A DAO constitution is a core foundational document that sets out the purpose and guiding principles of the DAO. It will address topics such as membership and participation, transparency, governance and decision-making, technical features of on-chain operations and smart contracts deployed, and dispute resolution. It is the DNA of the DAO.

Industry experts can provide guidance on aligning DAO constitutions to best practice standards and achieve a degree of convergence among the models that are presently being used. This could be done either through voluntary contributions, or by specific advice to specific projects. This is an area in which lawyers, in particular, can play a helpful and supporting role.

Adoption of legal wrappers

The use of legal wrappers for DAOs has gained traction. However, the available choices are frequently confusing, and generally are not designed to align with the requirements for DAOs.

There are signs of progress. The Coalition of Automated Legal Applications (COALA) published a DAO Model Law with a number of interesting features. This initiative was a specific attempt to design a model law that takes account of the technical features of DAOs, and to address questions that merit treatment arising from those technical features. The Model Law includes specific provisions that deal with contentious forks, modifications, upgrades and migrations on the legal personality of a DAO (as well as its claims and assets), and the limited liability of its members. On the subject of member liability, the model law proposes that members may be liable for failure events arising from gross negligence or acting in bad faith, but will not attach to those not involved in the relevant decisions or conduct.

The COALA DAO Model Law is not a perfect solution to all legal issues DAOs raise. It is, however, a genuine industry attempt to outline a set of legal principles that provide clarity to the legal status, responsibility and liability of participants in DAOs. This is a better outcome than organising a DAO without any recognised legal structure, and leaving the possibility open that the DAO may be construed as a partnership. It is also a better outcome than using obscure or ill-suited existing structures as legal wrappers for DAOs.

Disclosure of basic personal information

Privacy is a laudable principle. It is not, however, an absolute human right. The right to privacy has always been balanced by other competing rights according to public policy and community standards. It is not tenable to have DAOs engaging in unlawful practices, and using anonymity and pseudonymity as shields from following the same laws and regulations that apply to others. It is reasonable to require that some basic personal information is gathered in respect of DAO participants who exercise a degree of influence or control over DAO operations. This could be imposed as a requirement for adoption of DAO legal wrappers. It is a legitimate trade off to achieve limitation of liability arising from using a legal wrapper.

Clarity in regulation

The laws and regulation in Hong Kong in respect of virtual assets are prescriptive but clear. This is the benchmark that other jurisdictions are moving to. Clarity in regulatory expectation and requirements is especially beneficial when the market includes a significant number who do not have a traditional finance background with the compliance culture that traditional finance inculcates.

Effective enforcement

Enforcement against DAOs is inherently challenging. Enforcement assessment should have a degree of pragmatism. Egregiously bad actors should be pursued vigorously, particularly where there is evidence of significant investor loss (and particularly retail investor loss). Technological advances are making it possible to identify the genuine identity of persons acting pseudonymously on-chain. It may not be as worthy of time, effort and resources to pursue participants in ill-conceived DAO projects where there is no fraudulent intent or significant investor loss.

Promote innovation

Law and regulation are often perceived as dragging and holding back innovation. It need not be so. Innovation is not an end in itself. Rather, innovation must serve a purpose that improves the world we live in. Law and regulation serve the same purpose – improving or maintaining the quality of the world we live in.

Government, policy makers and regulators can help to provide an environment in which legal and regulatory assessment is factored into the incubation and development of innovative projects. It may be possible to bring projects into a regulatory sandbox, or to collaborate in incubation centres in universities or government bodies. The goal then becomes not just innovation, but the right innovation.

Promote real world integration

DAOs still have the ring of remoteness. The possibilities inherent in galvanising communities in projects at a grassroots level are still largely unexplored. This is an area that traditional companies should actively explore. Likewise, it would be beneficial to promote more examples of the positive impact DAOs have had on communities, particularly in the sphere of sustainability and social causes.

Conclusion

We are at the start of the journey in respect of DAOs. There are good reasons to believe that projects will organise themselves as DAOs more frequently in future. The community ethos at the heart of blockchain aligns to how many people organise activities in physical life. Building best practice playbooks is a critical step in DAO development. This will help to minimise risks inherent in DAO operations, and bring the potential benefits of this innovative form of organisation and endeavour to fruition.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 08 May 2024.

Padraig Walsh, Data Privacy, Fintech, Latest News, News & Media, Legal Updates, Blockchain

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

May 03 2024

Decentralised Autonomous Organisations (DAOs) are an emerging method for organising community based activities using blockchain technology. In the fourth of a series of articles exploring legal issues related to DAOs in Hong Kong, Pádraig Walsh and Shirley Kong from the Digital Services and Fintech practice of Tanner De Witt explore enforcement issues that arise in respect of enforcing against DAOs .

Pseudonymity and anonymity

The pseudonymity and anonymity of participants in DAOs arises in a number of dimensions:

Unknown counterparties: It may be possible for anyone to become a DAO participant, and there may be no steps taken to verify identity before participation. This has obvious concerns in respect of anti-money laundering (AML).

Control: It may be difficult to identify who controls or influences a DAO, and how decentralised a DAO actually is. Conduct which has the appearance of being dispersed may, in fact, be a single actor or a small number of actors acting through multiple aliases.

Governance: It may be difficult to identify persons who are responsible persons, or who can be attributed responsibility, in respect of regulated activities. Even if a DAO is engaged in activities relating to securities, it can still be challenging to identify who is conducting those activities, and who is responsible.

Attributing responsibility

The activities or conduct of DAOs or persons may be advocated in the language of decentralisation, and some activities may be governed by smart contracts. Also, the unusual patterns of information flow may make it challenging to establish basic facts. Nonetheless, regulators must engage in a fact-finding exercise, given that the substance of the arrangements will dictate the regulatory analysis and possible enforcement actions.

The regulator will assess factors such as:

(a) the roles of natural persons in the DAO’s activities and arrangements;

(b) the ability of natural persons to control or influence arrangements;

(c) the ability of persons who are not active in the DAO’s operations to nonetheless exercise control or influence (for example, investors);

(d) the economics of the DAO arrangements, and how incentives operate to benefit persons involved in the DAO arrangements; and

(e) how the regulator can exercise jurisdiction over those persons.

The analysis may result in considering or attributing regulatory responsibility to persons such as:

(a) founders and developers of a DAO project;

(b) issuers of governance or voting tokens; and

(c) participants in a DAO project who engage in various activities including:

(i) voting governance tokens;

(ii) hold administrative rights to smart contracts;

(iii) assume responsibility or maintaining or updating a project;

(iv) hold advantageous access to information;

(v) actively facilitate increased participation in DAO services;

(vi) hold control or influence over custody of assets or funds;

(vii) hold the ability and responsibility to reverse transactions; or

(viii) receiving significant rewards or profits from DOA operations.

The regulatory responsibility of persons will be assessed under applicable laws in a similar manner to any other scenario. For instance, a person that has received DAO tokens in an air drop and has not participated in voting activities, can expect to be treated differently to a founder that has reserved significant control and influence over and profits from DAO activities.

Identifying defendants

Ultimately, enforcement will be complicated by the pseudonymous or anonymous nature of DAO participation. DAO members do not typically sign up with real names and personal information. This position may change if legal wrappers are adopted on a widespread basis. The laws in respect of most DAO legal wrappers require certain persons to register with their genuine name and credentials.

Ooki DAO case example: The Commodity Futures Trading Commission (CFTC) filed a federal civil enforcement action in the US District Court, charging Ooki DAO, with violating multiple laws and illegally operating an unregistered business to allow retail participants to engage in margin trading. The Court allowed the suit because the defendant DAO fell within the meaning of an “unincorporated association” under California state law and therefore could be treated as a legal entity. An unincorporated association means a group of two or more persons joined by mutual consent for common lawful purpose, whether organised for profit or not, where such persons function under a common name under circumstances where fairness requires the group be recognised as a legal entity. The CFTC’s settlement order and complaint defines the Ooki DAO unincorporated association as comprising those who vote on proposals with their Ooki tokens.

bZx DAO case example: In the bZx DAO case, platform users brought a claim in negligence for losses stemming from hacking. The Court held that the negligence claim could be asserted not only against the defendant DAO itself, but also against persons holding their tokens. The token holders were alleged to be members of a general partnership. The main reason for this was the token holders exercised governance rights in the DAO, and could share in the DAO’s profits. As members of a general partnership, the individual token holders would face vicarious joint and several liability exposure for the alleged torts of the DAO, including damages for “purely economic losses” as a “special relationship” between the plaintiffs and the defendants (DAO members) was found.

Proper service

Once a litigant or regulator decides to claim or enforce against a DAO, it will need to serve a writ or similar legal process on the defendants to notify them of the action against them. It will be difficult to identify the defendants. DAO participants use pseudo names. Service must typically be done by certain prescribed methods, such as personal service, or delivery at the last known address.

Ooki DAO case example: In the Ooki DAO case, the CFTC requested for service through the “Help Chat Box” and an online discussion forum on Ooki DAO’s website. The reason provided by the CFTC was that they could not identify a person at Ooki DAO to accept service of its complaint, and so argued that this was the only viable method. The Court ultimately allowed service via the chat box and the online discussion board. After the CFTC posted the complaint in the Help Chat Box and online discussion forum, the Court agreed that Ooki DAO had “received both actual notice and the best notice practicable under the circumstances”. In the end, no one appeared in the Court on behalf of Ooki DAO, and the Court entered a default judgment for a sum and order the take down of the website and related operations.

Overlapping jurisdiction

Issues may arise between overlapping jurisdictions of regulators both in Hong Kong and internationally. For instance, stable coins will soon come under the regulatory remit of the Hong Kong Monetary Authority (HKMA). However, some stable coins may also fulfil the characteristics of securities, and be under the concurrent regulatory jurisdiction of the SFC. There will be a need for co-ordination of activities to avoid duplication of effort and resources.

This issue is more problematic elsewhere, particularly in the US. The Commodities and Futures Trading Commission (CFTC) has regulatory authority over digital assets classified as commodities. Federal securities laws provides the SEC with regulatory authority over digital assets which are classified as securities. Lessons can be drawn from examples there.

Mango DAO case example: In January 2023, there were three different lawsuits filed against Avraham Eisenberg, a crypto trader, for fraudulently manipulating the price of Mango DAO’s MNGO token to unlawfully obtain over $110 million in digital assets. The DOJ was the first to file an action against Eisenberg, relying on its broad wire fraud authority (but not federal securities laws) as the basis for its charges for commodities fraud and commodities manipulation. Next, the CFTC brought charges against Eisenberg for trading on a decentralized digital asset platform. This was the CFTC’s first ever enforcement action. The SEC then brought charges based on the view that MNGO, “a so-called governance token,” is a security. This case demonstrates the competing realms of enforcement and regulatory scope of different authorities in the US.

Conclusion

The particular features of DAOs make enforcement of claims against DAOs especially challenging. On the one hand, the pool of potentially liable persons could be quite significant. On the other, identifying, serving and enforcing against those persons will be made significantly more difficult by the pseudonymous and anonymous nature by which persons participate in DAOs. The challenges of enforcement will be a key consideration in the commercial assessment of bringing civil claims such as breach of contract or negligence.

Notwithstanding the challenges, regulatory action and enforcement is likely to be very active for the foreseeable future. Most regulators are established either as independent statutory bodies with public functions, or as government bodies. Securities regulators, for instance, have a clear function and mission to protect the investing public and to maintain the integrity of the markets they regulate. To the extent that DAOs engage in activities that breach of law of regulation, DAOs can expect that enforcement will occur and regulators will persist and persevere in the performance of their public duties.

Pádraig Walsh 

 

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 03 May 2024.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026

Home

text

Apr 24 2024

Decentralised Autonomous Organisations (DAOs) are an emerging method for organising community based activities using blockchain technology. In the third of a series of articles exploring legal issues related to DAOs in Hong Kong, Pádraig Walsh and Shirley Kong from the Digital Services and Fintech practice of Tanner De Witt explain how securities law can apply to DAOs and DAO participants.

Key principles

If the substance of an arrangement involved activities that require authorisation or licensed persons, then regulators will pay attention regardless of the form of the arrangements in question. Consequently, DAOs will trigger securities law if the activities of the DAO, or products and services offered by or via the DAO, are considered to be securities under applicable laws.

Regulated activities: A DAO and DAO members could breach applicable securities and financial services laws, if they conduct activities which require a licence or registration without fulfilling those obligations. Relevant regulated activities in Hong Kong that often come into question are regulated activities in respect of securities and futures, payments and stored value facilities.

In the Ooki DAO case in the US, the DAO was effectively operating a virtual asset exchange platform. This operation required a licence which the DAO did not obtain. It was ordered by the Commodity Futures Trading Commission (CFTC) to pay fines, shutdown its website, and became subject to trading and registration bans. A similar outcome could be expected if the same situation arose in Hong Kong.

Authorisation and disclosure obligations: A DAO may be subject to authorisation or disclosure obligations in respect of products or services the DAO offers. This is particularly the case if the offer is in relation to a financial or investment product that is considered a security. Most legislative regimes will require offering documents in respect of securities to contain prescribed information and disclosures, and for those offering documents to be authorised by a competent regulator. Failure to do so may result in substantial fines and enforcement actions.

For example, a person cannot issue a document that contains an invitation to the public in Hong Kong to enter into or offer to enter into an agreement to acquire securities, unless the document has been authorised by the Securities and Futures Commission (SFC). It does not matter where the person issuing the document is located in respect of the commission of the offence (though it would influence enforcement).

Taking an example from the US, Wyoming is the first state in the US to pass a law recognising DAOs as a separate legal entity. The Securities and Exchange Commission (SEC) effectively shut down Wyoming’s first authorised DAO, American CryptoFed DAO, for failure to comply with the disclosure requirements and for making materially misleading statements. Again, a similar outcome could be expected if the same situation arose in Hong Kong.

Decentralised finance

There is a high degree of innovation involved in a number of decentralised finance (DeFi) protocols. Nonetheless, DeFi arrangements still carry many of the same characteristics of traditional financial products and services. DeFi arrangements require people to launch, promote, operate and service them, and this is often performed by a small number of persons with significant influence over the arrangements. These people and DeFi arrangements will still be subject to applicable laws.

Analysing common DeFi arrangements, if the underlying financial product is a security, then:

Issuers of securities could include DEXs offering their own products, crypto-lenders who offer interests in lending pools, and developers or founders of DeFi protocols who directly sell crypto-assets.

Market intermediaries could include DEXs who facilitate products of others, broker/dealer activity in relation to crypto-lending products and other DeFi products, and aggregators who facilitate users to source and use the most favourable market terms.

Collective investment schemes could include liquidity pools and lending pools.

Exchanges could include aggregators and DEXs that facilitate exchange and trading of crypto-assets.

Clearing and settlement could also be conducted by aggregators and DEXs, as indeed could Layer 1 blockchain protocols.

If the relevant arrangement has implications under securities law, then the regulator must approach the arrangement by applying and enforcing the applicable legislative and regulatory framework.

Hong Kong securities law

Securities: In general, securities can be divided into:

(a) equity securities;

(b) debt securities;

(c) interests in collective investment schemes (“CIS”);

(d) rights that convert into or are closely linked to any of the above; and

(e) in certain circumstances, structured products.

There are also certain exclusions from the definition of securities.

Equity securities: The characteristics of equity securities include:

(a) the right to receive dividends or share in the profits of the underlying business;

(b) the right to participate in the distribution of the surplus assets of the underlying business upon winding up; or

(c) the right to vote in respect of matters relating to the underlying business.

Debt securities: The characteristics of debt securities include a right to repay investors the principal of their investment on a fixed date or upon redemption, with interest paid to investors.

Structured products: A structured product includes an instrument for which the return is determined by reference to:

(a) the value of any type or combination of types of securities, commodity, index or property; or

(b) the occurrence or non-occurrence of any specified event or events.

If an instrument is a CIS, then it would not also be regulated as a structured product.

Collective investment schemes

In the context of DAOs, perhaps the most impactful category of securities is that of collective investment schemes. This will be particularly relevant if the DAO is involved in any investment activity.

The characteristics of a CIS include management of proceeds received by the scheme operator to invest in projects with an aim to enable participants to participate in a share of the returns provided by the project. However, the true scope of the definition of a collective scheme is broader, and is worth deeper explanation.

A CIS has four elements:

(a) it must involve an arrangement in respect of property;

(b) participants do not have day-to-day control over the management of the property even if they have the right to be consulted or to give directions about the management of the property;

(c) the property is managed as a whole by or on behalf of the person operating the arrangements, or the contributions of the participants and the profits or income from which payments are made to them are pooled; and

(d) the purpose or effect of the arrangement is to enable participants to participate in or receive profits, income or other returns arising from, or represented to arise from, the acquisition, holding, management or disposal of the property (or any part of the property), or any rights or benefits of the property (or any part of it).

A CIS can be any arrangement. It is not limited to any specific form. Usually, an arrangement is a contractual or non-contractual arrangement in respect of an investment proposition. So, for instance, a DAO could be part of an arrangement.

A CIS must relate to property. Property is not limited to cash or fiat currency. It can include intangible personal property, and property with no intrinsic value, but which is representative of value. Digital tokens are intangible personal property.

One of the hallmarks of a CIS is that participating persons in the scheme do not have day-to-day control over management of the arrangement. In theory, DAO participants should be actively engaged in community decisions and governance. However, it is not enough that participants are consulted, or that they can give directions. In order for an arrangement to fall outside the scope of a CIS, all participants must, as a matter of fact and substance, manage the arrangements on a day-to-day basis. Decisions must be initiated, decided and implemented by them, not a third party.

In colloquial terms, the target is to identify who is or will be “minding the shop” on a day-to-day basis. It may be that the persons involved in a day-to-day basis report to higher authorities, or act on behalf of those higher authorities. However, it is the former, not the latter, who have day-to-day control. On the other hand, if the participants have day-to-day control, then the arrangement is not a CIS. This is a question of fact and substance. The terms of a contract are not definitive.

According to the FAQs on “Offers of Investments” under the Securities and Futures Ordinance (Cap. 571) (SFO) issued by the SFC, “day-to-day control” means routine, ordinary, everyday management or operational decisions. The phrase does not just mean the responsibility to decide what is to happen to the property. Each participant must have day-to-day control of his property. The SFC has not set out specific examples of the decisions in question.

If the participants do not have day-to-day management control, then this qualifying condition for a CIS is fulfilled. It is not necessary to identify the person that has day-to-day management control. It is sufficient simply to show that participants do not have day-to-day management control.

A DAO may be conceived as being decentralised, but it is not without human actors. Some human actors will achieve a level of influence that is significant and becomes a key element of success or failure. The founders and first promoters of a project will often be core service providers to the ecosystem. If the service providers have the discretion to propose, make and implement decisions, then that can amount to a form of centralised authority. Decentralisation will also mean that participants (that is, users) do not have control over the property as a whole.

The marginal input of participants, the performance of administrative tasks, or the right to provide input, do not constitute management. For instance, holders of tokens may perform minor tasks to promote participation in the ecosystem. These activities do not constitute management activities.

Management can also be distinguished from governance. Governance is primarily policy-making and supervision. Management is active decision-making in respect of the managed property, and requires the exercise of control to perform the management function.

The key is to look at the substance of the arrangements. If in substance each investor is investing in property whose management is under his control, the arrangements will not be a CIS. If in substance each investor is getting rights in a scheme that provides that someone else will manage the property, then the arrangements will be a CIS.

Decentralisation

Once an arrangement has implications under securities law, one of the first steps of a regulator is to identify the persons who could be responsible for or subject to regulatory obligations in respect of the arrangement. If an arrangement is genuinely decentralised, then it may seem that nobody is responsible or subject to regulatory obligations.

Decentralisation is a governance and systems concept. Decentralisation is based on a set of governance rules and processes designed to obtain and implement community decisions, without a central authority.

Key features of decentralisation should include:

Automation: There should be a high proportion of activities that are automated and conducted by smart contract, without human intervention.

Voting: Any significant or material change or need in the conduct of activities should be decided upon by a voting mechanism that fairly involves and represents the DAO community. Voting, in practice, must have a reasonable level of participation.

Decisions: Allocation of tokens, or other mechanisms that influence decision-making power, should avoid unfair weighting or other features that lead to a concentration of influence. Veto or gatekeeping rights should be minimised.

Communications: Communications should be conducted in a manner to minimise or eliminate information asymmetry or arbitrage. All significant or material communications or discussions should be conducted simultaneously and openly by all in the DAO community.

On-chain: As much activity as practicable should be conducted on-chain.

Decentralisation is not a clearly defined condition. Each of these factors is a matter of degree. A DAO may have some degree of each of these factors, and not be genuinely decentralised. Also, some additional elements may further vitiate decentralisation. For instance, can the operations of a DAO be considered decentralised if a substantial number of tokens are delegated to the same person, or are locked up for staking?

Decentralisation should be present both as a matter of design and practice. At a design level, governance rules may make decentralisation difficult to achieve, if the design of the rules result in concentration of influence and authority. There has not been significant convergence in governance characteristics for DAOs. At a practice level, lack of community participation may result in decisions being taken by a small number of persons. After all, many DAO participants are content to be users, and may not have the expertise, interest or resources to participate in community decisions.

Decentralisation is a condition that is achieved over time and in stages. It is not a box-ticking exercise that is swiftly accomplished. In the recent collapse of JPEX, the unlicensed trading platform, JPEX stated in one peremptory public statement that it was now a DAO, and investors could exchange their investments into JPC Tokens. JPEX claimed that it would repurchase JPC tokens in two years’ time, repaying the investors the entirety of their capital. The JPEX DAO was unlikely to be decentralised in substance. Decentralisation is not a light switch that can be turned on instantly.

Ultimately, many DAO activities are the result of the activities of the persons who create, offer and maintain them. Natural persons are still needed to bring forward proposals for improvement, curate and moderate proposals for change, implement technical changes, and hold and use administrative keys. This may result in a degree of centralisation in respect of the DAO arrangements as a whole. Some DAOs are quite decentralised with a strong emphasis on decision making by token holders who vote on community proposals. Other DAOs are still quite centralised, with decisions being taken and operations conducted by a small number of persons or a central body.

These difficulties are highlighted in the SEC’s July 2017 report on The DAO. The DAO was a decentralised venture capital firm, which sold US$150m DAO Tokens to the public. The investment objective was to invest in digital-asset projects with the aim of distributing returns to the token holders. The token holders could either keep their tokens so they can realise their investment gains later, or convert their tokens into other digital assets on third party platforms. Each token granted its holder a vote in DAO governance matters such as selecting investment projects and distribution proposals. The DAO promoters selected a group of managers called “curators”, who performed security functions and managed governance for the organisation. The SEC concluded that the DAO’s investors relied heavily on the managerial efforts of the promoters and curators to manage The DAO. The DAO token holders did not determine which proposals would make it to a vote nor have sufficient information about a proposal. In effect, The DAO was not decentralised.

It remains the case though that when a DAO becomes progressively decentralised, the DAO is less likely to be considered as a “CIS”. As a network becomes truly decentralised, the ability to identify an issuer or promoter to make the requisite disclosures becomes difficult, and less meaningful.

Conclusion

A regulator is agnostic to the form in which an activity is conducted or a financial product or service is provided. In Hong Kong, if DAO tokens are “securities” within the meaning of the SFO, then the offering and sale of these security tokens require compliance with requirements for authorisation under Hong Kong securities law, and any person who markets and distributes the security tokens to Hong Kong investors would also need to be appropriately licensed to do so. The choice of persons to organise as a DAO does not mean those persons do not have regulatory obligations.

Pádraig Walsh

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | [email protected]

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 24 April 2024.

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026
Home

text

Apr 17 2024

Decentralised Autonomous Organisations (DAOs) are an emerging method for organising community based activities using blockchain technology. In the first of our series of articles (available here), we looked at the legal nature of a DAO and some legal issues that can arise. In this article, Pádraig Walsh and Shirley Kong from the Digital Services and Fintech practice of Tanner De Witt explain the use of legal structures as a means of mitigating some of those legal risks.

Legal wrappers

A legal wrapper is a term used to describe the conduct of all or some of the activities of a DAO through an incorporated or registered legal entity. A legal entity is “wrapped” around the designated activities of the DAO. In most cases, liability incurred by the legal entity will be separate from the individual DAO participants engaged in DAO activities, and the legal entity (not the DAO participants) will be responsible and liable for legal consequences arising from those activities.

The primary need to use legal wrappers for DAOs arises because in the absence of a legal wrapper, DAOs are unincorporated organisations. This gives rise to a risk that DAO members may face personal liability for activities of the DAO. As a secondary benefit, a DAO can conduct activities with the real world through a legal entity. This can facilitate the DAO to open bank accounts, enter contracts and deal formally with third parties.

The use of legal wrappers is contentious within DAO communities. There are three general points of contention:

Localisation: DAOs are intended to be global communities. Legal wrappers are necessarily linked to a specific jurisdiction.

Centralisation: The use of the legal wrapper will inevitably result in some degree of centralisation, as DAO activities are conducted through the legal entity.

Loss of privacy: The formation of legal wrappers will involve disclosure of identification details of the founder / promoters of the legal wrapper vehicle. Many participants in DAOs are privacy advocates, and may be reluctant to disclose their identity for the purpose of incorporation or formal of a legal wrapper entity.

These are points to consider when founders are considering the rules that will apply to a DAO. There may be limited or manageable contractual or cyber risk if a DAO is formed for social purposes only. Social DAOs may also have less need or less friction when interacting in real-world environments. In these circumstances, the operation of the DAO may not benefit materially from adopting and operating through a legal wrapper entity. It may be sufficient for the DAO to adopt clear rules in its constitution and smart contracts.

The position is different if the DAO is more complex, receives capital or contributions, or operates a treasury. Then, the need for a legal wrapper is greater. Founders or promoters of the DAO should take legal advice and give serious consideration to conducting some or all DAO activities through the medium of a legal entity.

There are limits to the legal protection that a legal wrapper can provide. Forming a legal entity to engage in unlawful, criminal or fraudulent acts will not protect the individuals involved from criminal enforcement. Also, securities regulation and other similar mandatory laws will frequently look through a legal entity and impose liability on relevant individuals. So, if a DAO is engaged in activities that require authorisation or a licence from a securities regulator, then the individuals engaged in the unauthorised and unlicensed activities (and not just the legal entity) will be responsible and liable.

Characteristics of legal entity wrappers

The assessment of the use of legal entities by DAOs will involve a search for legal entities with characteristics that align with the characteristics of the DAO. This usually involves assessing a number of features:

Flexibility: The legal entity should enable the constitution to have a form of high degree of flexibility and customisable features. For instance, the articles of association of a conventional private company limited by shares will have a number of features that are too rigid for DAO operation.

No ownership: A DAO is intended to operate on the basis of egalitarian community principles. This includes a principle that the community as a whole (rather than specific persons or participants) owns the DAO. This is sometimes reflected in a legal structure for which there are no owners or shareholders.

Separation: The legal entity will be directly linked to a specific jurisdiction, and will have a degree of centralisation. The DAO founders may wish to minimise these consequences by separating governance of the legal entity from DAO governance or participation, but without sacrificing appropriate governance of the legal entity’s operation.

These particular requirements have led to the use of a variety of legal entities in various jurisdictions, and to the introduction of new legal entities that have customised features suitable for adoption by DAOs.

LLCs

LLC stands for limited liability company, and is a type of legal entity that is common in the US. An LLC will have limited liability protection for its members, and owners are typically not liable for the debts and liabilities of the LLC. An LLC can be member-managed, or the members can appoint a board of directors. The operating agreement for an LLC is highly customisable.

Some states in the US have adopted state legislation that has features designed to enable DAOs to form as an LLC. Common features of these laws include:

(a) The LLC must state in its articles of organisation that it is a DAO.

(b) The LLC must include in its operating agreement a summary of its purpose.

(c) The LLC will be considered to be member-managed unless its articles state that it is algorithmically or smart-contract-managed.

(d) The operating agreement must include prescribed information about the DAO, which can include details of the smart contract, the blockchain technology used, voting procedures, protocols for responding to security breaches, procedures for becoming a member, and the rights and obligations of each group of participants.

(e) The LLC will automatically dissolve if it does not approve any proposals or take any actions for one year.

(f) The LLC members have no fiduciary duties to the DAO unless specified in the operating agreement.

(g) There is no express obligation to provide inspection rights to members, except for what is available on-chain.

The particular requirements will vary according to the state chosen for formation of the DAO. Wyoming, Vermont, Tennessee and Utah are some of the states that have adopted specific DAO LLC laws.

Another alternative chosen by some DAOs is to simply use a Delaware LLC. Delaware is a well-established jurisdiction for LLCs. The LLC operating agreement can specify restriction of fiduciary duties and limitation of liabilities. However, this legal structure does not accommodate certain features of a DAO such as preserving the anonymity of the members in certain circumstances.

Jurisdictions elsewhere have also adopted DAO LLC laws. In February 2022, the Marshall Islands amended its Non-Profit LLC Statute to officially recognise DAOs. Under this law, token holders of DAOs can be LLC members and the LLC’s bye-laws can be encoded into the blockchain.

Foundations

A foundation is a business structure that originally developed in civil law jurisdictions. A foundation can be structured without members. This has appeals to DAO developers as a foundation appears ownerless, and this has an alignment with decentralisation. However, the operation of a foundation is not decentralised. A foundation is a separate entity, and hence can hold assets in the name of the foundation. This is different to a trust, in which assets are held in the name of the trustee.

The key features of foundations include:

(a) A foundation can be formed for any lawful purpose, including non-profit or charitable.

(b) The foundation offers legal personality and limited liability for the members.

(c) The foundation is not required to have members. Even if the foundation has members, those members may not be entitled to participate in financial returns of the foundation.

(d) The foundation can choose to have beneficiaries (for example, a DAO’s token holders), but beneficiaries will not have rights and powers unless specified in the bye-laws. Generally, beneficiaries will not have personal liability for the foundation’s debts or financial losses.

(e) The foundation can provide for liability protection for founders and directors (or council) who manage the foundation to protect them from personal liability. 

(f) The foundation may also appoint a supervisor or guardian to safeguard the purposes of the foundation.

Foundations are now common entities available in a number of jurisdictions, including Gibraltar, Switzerland and Cayman Islands. Hong Kong does not have a foundation as part of its available business entity suite.

Company limited by guarantee

The closest entity available in Hong Kong that can suit certain DAO requirements is the company limited by guarantee. A company limited by guarantee does not have shareholders, and the role of its members is quite different to shareholders in a private company limited by shares.

The key features of a company limited by guarantee are:

(a) The members do not have a claim on the assets of the company.

(b) The company is prohibited from paying dividends or profits to members.

(c) The members of the company will appoint directors, and directors owe a fiduciary duty to the company to act in its best interests.

Conclusion

The specific legal risks of operating DAOs has given rise to the legal community seeking appropriate measures to minimise and mitigate the risk of personal liability of DAO participants. Some risks can be addressed by careful consideration of the scope of operation of the DAO, and implementing rules in the DAO constitution and measures in smart contracts to manage certain legal risks. However, frequently the best approach is to consider conducting some or all DAO activities in DAO legal wrappers. This issue is often a complex assessment, requiring an understanding of the ethos of the DAO and aligning that ethos with available business entity structures.

Pádraig Walsh and Shirley Kong

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | [email protected]

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 17 April 2024.

 

Featured Articles

Insights
What Is the Right Measure of Compensation in Hong Kong Discrimination Claims?
Russell Bennett 14 May 2026
Insights
News update: Finfluencers on the SFC regulatory radar
Pádraig Walsh 07 May 2026
Insights
News update: Secondary Trading of Tokenised Authorised Investment Products Permitted in Hong Kong
Pádraig Walsh 04 May 2026
Insights
News update: Hong Kong Privacy Commissioner claws back privacy protection from agentic AI tools
Pádraig Walsh 30 April 2026
Insights
Enforcement action follows PCPD finding of ineffective data privacy training
Pádraig Walsh 29 April 2026
Insights
What you need to know about the Protection of Critical Infrastructures (Computer Systems) Ordinance, the cybersecurity legislation in Hong Kong (Part 6)
Pádraig Walsh 21 April 2026