The Hong Kong Market Entry Playbook: Data Protection


Hong Kong has a long history of being a business-friendly location to set up both as a regional business hub and to access the sophisticated local market. In the next of a series of articles exploring the attraction of Hong Kong as a regional and international business centre, Pádraig Walsh of Tanner De Witt explains the personal data privacy and protection framework in Hong Kong.


Constitutional status: The Basic Law is the key constitutional document of Hong Kong. The right to privacy is recognised in Article 30 of the Basic Law, and in Section 8, Article 14 of the Hong Kong Bill of Rights Ordinance.

Legislation: The Personal Data (Privacy) Ordinance (the “PDPO”) was passed in 1995 and took effect from December 1996 (except certain provisions). It is one of Asia’s longest standing comprehensive data protection laws. The PDPO underwent major amendments in 2012 and 2021.

Authority: The Office of the Privacy Commissioner for Personal Data (“PCPD”) is an independent statutory body set up to oversee the enforcement of the PDPO. The courts of Hong Kong have jurisdiction to deal with privacy and data protection related matters.

Enforcement approach: The main enforcement measures adopted by the PDPD are:

(a) Investigation: The PCPD can investigate complaints regarding breaches of the PDPO, conduct formal investigations, and issue an enforcement notice. However, the PCPD by itself has no power to impose fines.

(b) Fines and imprisonment: It is an offence if the terms of an enforcement notice is breached. The PCPD can institute civil or criminal proceedings against data users in breach of an enforcement notice by referring criminal offences under PDPO to the Hong Kong Police Force. They may then be prosecuted through the Hong Kong court system. There are also separate criminal offences under PDPO punishable by fines and imprisonment. The PDPO can bring prosecutions in respect of doxxing offences.

(c) Compensation: Data subjects have a right to bring proceedings in court to seek compensation for damages, including damages for injury to feelings.

Regulatory approach: The PCPD has issued various codes of conduct. Examples include the Code of Practice on the Identity Card Number and Other Personal Identifiers and the Code of Practice on Human Resource Management. If data users breach a Code of Practice, this gives rise to a rebuttable presumption in any legal proceedings that the data user has breached the PDPO. This means that the data user would have to produce evidence of compliance with data protection laws, notwithstanding the breach of the Code of Practice. In addition, the PCPD has published guidelines and information leaflets on various issues. These are non-binding.

Key principles

Data protection principles: The PDPO sets out six Data Protection Principles (“DPPs”):

DPP1   Personal data must be collected in a lawful and fair manner, and the data user must give specified information to a data subject when collecting his personal data.

DPP2   Personal data must be accurate and up-to-date, and kept no longer than necessary.

DPP3   Personal data should only be used for the purposes for which they were collected or a directly related purpose. Otherwise, the data user must obtain the “prescribed consent” of the data subject.

DPP4   The data user must have measures in place for the confidentiality and security of personal data.

DPP5   Data users must provide general information about the kinds of personal data they hold and the main purposes for which personal data are used.

DPP6   Data subjects must be given a right of access to their personal data, and to correct them.

Collection: On or before collection of personal data, all practicable steps must be taken to ensure that the data subject is informed of (a) whether the supply of the data is voluntary or obligatory, (b) the purposes for which the data are to be used, and (c) the classes of persons to whom the data may be transferred. Before first use of personal data, the data subject must also be informed of: (a) his right to request access to, and to correct, the data, and (b) the name or job title, and address, of the individual who is to handle any such request. These obligations are typically fulfilled by providing a personal information collection statement with the prescribed information to the data subject on or before the collection of personal data.

Data processors: If personal data is entrusted by the data user to a data processor, the data user is liable as the principal for any act done by its authorised data processor. The data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for processing the data, and to prevent unauthorised or accidental access, processing, erasure, loss or other inappropriate use of the personal data.

Direct marketing: A data user engaging in direct marketing must first obtain the data subject’s consent. The consent of a data subject must be the explicit agreement by the data subject to indicate that he consents or does not object to the use or provision of his personal data for use in direct marketing. If a data subject has orally consented to a data user using the personal data for direct marketing, the data user must confirm prescribed particulars of that consent within 14 days. A data subject may request that a data user ceases to use his personal data for direct marketing without charge (also known as the opt-out request).

It is a criminal offence, punishable by fine and imprisonment, to use personal data for direct marketing without the consent of the data subject. It is a separate offence for data users to provide a third party with personal data for the purposes of direct marketing in return for payment and without the data subject’s consent.

International data transfers: There are restrictions on transfer of personal data to overseas jurisdictions in section 33 of the PDPO, but these provisions have not come into effect. Nonetheless the transfer of personal data is in itself a form of use of the personal data, and a data user must give notice to explicitly inform data subjects of the purpose (in general or specific terms) for which the personal data is to be used and the classes of persons to whom the data may be transferred.

Data processing agreements: The most common means for a data user to protect personal data transferred in a cross-border data transfer is by written contract. The PCPD has published two sets of recommended model contractual clauses. These cater for two scenarios, being the transfer of personal data from one data user to another data user and the transfer of personal data from a data user to its data processor. The recommended model clauses address the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. The purpose is to ensure adequate protection is given to the personal data as provided under the PDPO as if the personal data concerned were not transferred outside Hong Kong.

Data protection officers: There is no statutory requirement to appoint a data protection officer. The PDPO requires a data user to inform a data subject of his rights to request access, and correct his personal data and the name (or job title) and address of the person to whom such requests should be made. In practice, the person identified for this purpose in a personal information collection statement is usually described as a data protection officer. This is a matter of convention, not a requirement of law. The title does not carry the same obligations or duties as a DPO under GDPR.

Data breach: There is no general mandatory data breach notification requirement in Hong Kong, though notification requirements may arise in certain regulated sectors. The PCPD has consistently encouraged data breach notification as recommended best practice and has commented adversely in its Investigation Reports in respect of any failure or delay to report a data breach. The PCPD has recommended that notification should be made as soon as practicable after detection of the data breach, except where law enforcement agencies have, for investigative purpose, made a request for a delay.

Data protection impact assessments: DPIAs are not mandatory. However, the PCPD had made clear that DPIAs are recommended best practice as they are the best means of adhering to the principles of proportionality, transparency and fairness enshrined in the statutory DPPs.

Data subject rights

Data access: Data subjects are entitled to request access to personal data. The data users must provide copies of the personal data requested within 40 days of the request. The data users can only charge the data subjects for a non-excessive amount of fees. The PCPD has specified a prescribed form in which such a request has to be made.

Data correction: Data subjects are entitled to request the correction of personal data without charge to the data subject. This data correction request must be preceded by a data access request. If the data subject considers that the personal data held by the data user is inaccurate, he may make a request that the data user corrects the data. If the data user is satisfied that the data is inaccurate, the data user must make the necessary correction to the data no later than 40 days after receiving the request. However, the data user may refuse a personal data correction request in certain circumstances such as when the data user is not supplied with information it reasonably requires to ascertain how the personal data is inaccurate, or that the data user is not satisfied that proposed correction is accurate.

Data deletion: Data subjects do not have the right to require data users to delete their personal data. Data users are required under DPP2 to take all practicable steps to erase personal data held by them where the data are no longer required for their prescribed purpose, unless erasure is prohibited under any law or it is in the public interest for the data not to be erased

Pádraig Walsh

* This article is an expanded version of our contribution to the iTech Law global publication “Startup Legal Playbook”, which can be accessed on this link.

If you want to know more about the content of this article, please contact:

Pádraig Walsh

Partner | Email

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication. This article was last updated on 26 February 2024.