Hong Kong PDPO: 2024 Comprehensive Guide
With the constantly changing data landscape, some countries across the globe have created their personal data laws specific to their own country or region, like with the Hong Kong PDPO or GDPR.
The Personal Data (Privacy) Ordinance for Hong Kong is a set of privacy laws that governs how personal data is used in Hong Kong. If your business operates or processes data of people in Hong Kong, you should be aware of the PDPO and what it means for your business to stay compliant.
If you are concerned that your business may not be compliant with the Hong Kong PDPO, then stick around. This article will explain in detail what the PDPO is, what data protection is needed, what data rights are given to its subjects, as well as give you steps to ensure your business compliance.
Let's dive in.
- The Hong Kong PDPO governs how personal data is collected, stored, processed and shared in Hong Kong.
- The PDPO is made up of six principles: the purpose and manner of collected personal data, the accuracy and duration of the retention of personal data, the use of personal data, the security of personal data, the information to be available and providing access to personal data.
- Data collected for medical, criminal, statistical and legal purposes are exempt from the PDPO.
What is the Hong Kong PDPO?
Hong Kong's Personal Data (Privacy) Ordinance is a set of laws regulating how private and public businesses use personal data. The law governs how personal data is collected, stored, processed and shared in Hong Kong.
The PDPO is one of Asia's oldest privacy laws. It was created in 1995 and brought into effect in December 1996. The PDPO was created in response to a Law Reform Commission Report entitled "Reform of the Law Relating to the Protection of Personal Data." This 1994 report suggested that Hong Kong introduce new privacy laws.
The privacy laws outlined in the PDPO were based on the OECD Privacy Guidelines 1980. These were the first internationally agreed-upon privacy principles before the GDPR came along. Since the inception of the PDPO, there have been some amendments to keep up with the ever-evolving world of data privacy.
In 2013, the PDPO underwent its first amendment to address the misuse of personal data for marketing purposes. Then, in 2021, another amendment was added, which gave the PDPO more enforcement powers and anti-doxxing provisions.
The principles in the PDPO are enforced by the Office of the Privacy Commissioner for Personal Data (the "PCPD"), which is the authoritative source of all PDPO complaints and decisions. The PCPD has issued six foundational Data Protection Principles (DPP) that all businesses operating in Hong Kong need to abide by.
It should be noted that Hong Kong does not need to comply with the regulations outlined in the China PIPL.
The six DPPs found in Schedule 1 of the Ordinance:
- DPP1 - The purpose and manner of collected personal data
- DPP2 - The accuracy and duration of the retention of personal data
- DPP3 - The use of personal data
- DPP4 - The data security of personal data
- DPP5 - Information to be available
- DPP6 - Providing access to personal data
These six Data Protection Principles are in place to give data subjects more power over how their data privacy is collected, processed, stored, or shared with third parties. The principles outlined in the Ordinance were created to be technology-neutral to minimize the amount of personal data collected and ensure that data security is maintained with efficient security measures.
Businesses that violate these DPPs are at risk for penalties.
Who is Covered Under the Hong Kong PDPO?
The PDPO is clear on who is covered by these laws to ensure that no infringements take place. This law applies to businesses operating in both the private and public sectors who are collecting, processing and using personal data.
Regardless of whether your business processes the data outside of Hong Kong, the PDPO will also apply to you as long as the personal data is controlled by the data user (the data controller) based in Hong Kong.
All data users in Hong Kong are given data protection rights and can challenge both the public and private sectors to develop compliance methods according to PDPO laws.
Private sectors that fall under the category of business, corporations, partnerships, and sole proprietors are required by Hong Kong's PDPO to be compliant with its terms. That applies to both for-profit and non-profit centers business as well.
In terms of public sectors, the PDPO falls under most of them. That included schools, government agencies, and financial institutions. As one can see, the principles of the PDPO are to be expected and maintained through all aspects of both the public and private sectors.
What makes the PDPO different from the GDPR is that the PDPO does not directly regulate how data processors process personal data collected by data users, which must comply with the PDPO. This means that data users are responsible for ensuring that their data processors comply with the PDPO.
Exemptions to PDPO
While the PDPO regulates businesses operating in the public and private sectors, some businesses and data processors are exempt from these data privacy laws.
The following exemptions are outlined in part VIII of the Ordinance:
- Data collected for domestic purposes
- Data collected for journalistic purposes
- Data collected for employment purposes, including staffing, personal references, disciplinary actions, awards, contracts and promotions
- Data collected for business transactions
- Data collected for news
- Data collected for emergency purposes
- Data collected for legal professional privileges
- Data collected for research and statistical purposes
- Transfer of records to Government Records Service
- Data collected for the purposes of care and guardianship of minors
- Data collected for health purposes like physical or mental health, including the identity or location of the data subject.
- Data collected for security, defense or international relations
- Data collected for crime purposes like improper conduct, court orders, legal requirements and other legal proceedings
Data that is collected for the good of the country, for example, for research or statistical purposes, is exempt from the principles outlined in the Ordinance. This includes data that is collected for criminal and legal proceedings.
While DPP 6 makes provisions that data subjects can request that their data be amended, this is not applicable to data collected for legal purposes. For example, if it is being used in an ongoing investigation.
Data Protected Under the Hong Kong PDPO
The six Data Protection Principles of the Ordinance outline which data is covered under the Hong Kong DPPO and are things your business needs to understand to avoid penalties due to non-compliance. Let's dig deeper into them.
According to Section 2 of the PDPO, personal data is defined as "relating directly or indirectly to a living individual, from which it is possible and practical to ascertain the identity of the individual from the said data, in a form in which access to or processing of the data is practicable."
All personal data collected from data subjects in Hong Kong is covered by the PDPO, which controls how this data is used. To collect personal data in Hong Kong, your business needs to ensure that it is done in a fair manner.
For example, gaining unauthorized access to financial details or purposely misleading the data subject to gather their data is illegal. As a business owner, it is your responsibility to inform the data subject of the purposes of collecting their data.
Under the PDPO data privacy laws, all personal data that is collected is covered to ensure that it is accurate and up to date, is accessible and that businesses have taken appropriate data protection security measures to secure the personal data.
While the Hong Kong PDPO has defined what personal data is, it does not explicitly list what it considers personal data. A good fallback is the GDPR list of what personal data usually consists of:
- Financial information, which includes credit card numbers and account numbers
- Contact information, including telephone numbers
- Medical information
- Ethnicity and race
- Religious and philosophical beliefs
- Sexual orientation and gender identity
- Criminal history
- Biometric information
All of the above are considered forms of personal data and are protected by the PDPO.
Checklist for Businesses to Comply with the Hong Kong PDPO
As a business owner, regardless of whether you're in the public or private sector, you need to ensure that your business remains compliant with the Hong Kong PDPO. To do this, we have compiled a checklist for your business.
Practice Data Minimization & Accuracy
Data minimization means the act of limiting and restricting the amount of data collected on data subjects. The purpose is to collect what is absolutely necessary for your business in order to carry out its functions without having to manage any other excess data.
The PDPO was created to minimize the amount of personal data that is collected from data subjects in Hong Kong. To do this, your business should only collect relevant personal data that is used for its intended purpose only.
Section 26 of the Ordinance requires that all businesses and data users delete collected personal data that is no longer needed for its original use. Collected personal data should also be accurate, and if the data user is making use of a third-party data processor, they must ensure that the data collected is accurate.
Collect Informed Consent
According to the PDPO, Consent is not a prerequisite for collecting personal data if it is used for the purposes outlined in the list of exemptions we covered above. Data users will be required to get consent for personal data if the data is being used for marketing purposes or for a new purpose than it was previously intended.
Businesses that collect personal information data without consent can be subjected to potential penalties from the PDPO privacy commissioner. Ensuring that the consent is acquired first can make the act of data collecting fall under compliance within the PDPO and it means you won’t get a penalty handed down from Hong Kong's Privacy commissioner.
If applicable, your data user should also explain to the data subject how to withdraw consent through an opt-in or opt-out mechanism if there is one in place.
Take Practical Steps to Protect Personal Data
According to DPP4, businesses and their data processors need to take practical steps to ensure sufficient data protection measures are put in place. Cybercrime is at an all-time high, and without any data protection measures, your personal data is at risk for a data breach.
The PDPO mandates that data users and data processors take practical data protection steps to ensure that all personal data stored is protected from unauthorized access or data transfer, processing, loss, and deletion. To help businesses protect personal data and practice good data security, the PDPC released a Data Protection by Design guide.
To protect personal data, we recommend that your business makes use of DPIA software, implements encryption, limits access control, and hires a data protection officer to ensure that you remain compliant with the PDPO.
Additionally, having your employees be trained in privacy awareness helps ensure that they stick to data security protocols that are in place.
Ensure Data Subjects Can Access & Correct
DPP6 governs that data users provide data subjects with the right to access and correct their own personal data. Once the data subject has requested access and correction of their personal data, the business or data user has 40 days to make these corrections.
If, for whatever reason, the data user cannot make these corrections, they have 40 days to state their reasons. After that, one of the data subject rights allows them to take the matter to the Privacy Commissioner of the PDPC.
Penalties for Non-Compliance with the Hong Kong PDPO
Hong Kong's PDPO is designed to prevent future infringements and punish those that contravene the provisions outlined in the PDPC enforcement notice. Some of these penalties for non-compliance include fines and even imprisonment.
The PDPC will investigate any violations at their discretion, and depending on the outcome of the investigation, an enforcement notice will be issued to the data user. This enforcement notice will contain a list of remediation steps that data users must take.
Non-compliance to the PDPO is not a criminal offense. It's a criminal offense to disobey the instructions issued in the enforcement notice as outlined in Part 9, Section 64 of the Ordinance.
Non-compliance to the enforcement notice can result in minimum fines of HKD 50,000 ($7,000) and two-year imprisonment. The maximum a business can be fined is HKD 100,000 ($14,000) with a two-year imprisonment.
In addition, data subjects can file lawsuits and claim damages against businesses that violate their personal data by not offering adequate data protection in case of a breach.
Something as simple as not deleting unnecessary personal data is punishable with fines of up to HKD 10,000 plus additional costs associated with lawsuits from the data subjects. While there are currently no data breach notification requirements, we highly suggest notifying the PDPC and data subject as soon as possible to avoid any surprise fines.
If your business collects, processes, stores, and distributes personal data on data subjects in Hong Kong, you'll want to ensure your business remains compliant with the Hong Kong PDPO. The difference between being compliant and being non-compliant can mean the closure of your business or even financial ruin and criminal charges.
Get in touch with Captain Compliance today to ensure your business gets on the right side of the law.
What is the Personal Data Privacy Ordinance Amendment?
The latest amendment in 2021 was to create a two-tiered offense for sharing personal data without consent and introduce new anti-doxxing provisions.
What is the fine for PDPO in Hong Kong?
Violating an enforcement notice from the PDPC can result in fines of a minimum of HK $50,000 and a maximum of HKD 100,000 ($14,000).
What is the right to privacy in Hong Kong?
The Hong Kong government and the PCPD created the right to privacy so that "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation."
What is an example of personal data in PDPO?
An example of personal data in the PDPO is a person's financial details like credit card numbers and account numbers.