Hong Kong

Data protection has been under the spotlight in Hong Kong, since several high profile leakages of confidential personal data have been reported by media in the past couple of years. The media reports drew attention to breaches by high profile public and private organisations that have leaked confidential files. Community awareness of personal data privacy issues rose after the Octopus Incident in 2010 and the heightened activity of the Privacy Commissioner for Personal Data ('PCPD') that has followed this event. 

In 2014 the Social Science Research Centre of the University of Hong Kong conducted a survey on public attitudes on personal data privacy. The survey revealed that nearly half (46%) of respondents had experienced misuse of their personal data in the last 12 months. The most frequent sources of the problem were banks (57%), telecom companies (32%), fitness/beauty centres (26%) and financial institutions (17%). Most respondents admit that their confidence or trust towards companies which were reported to contravene the Personal Data (Privacy) Ordinance by the PCDP has decreased. The survey indicates that awareness of privacy rights and trust in the PCDP are generally high and individuals are conscious of the need to balance privacy rights differently in various situations. 

Hong Kong provides a very advanced level of protection to personal data compared to the rest of Asia and it is one of the continent's earliest adopters of comprehensive data privacy regulation. Collection, use and storage of personal data in Honk Kong is regulated by the Personal Data (Privacy) Ordinance (the Ordinance). The early development of data privacy protection has its sources in the strong presence of multinational corporations in Hong Kong. 

The Ordinance generally reflects the OECD guidelines for the Protection of Privacy and Trans-Border Flow of Personal Data from 1980, which are the cornerstone for Europe's Data Protection Directive (95/46/EC). In 2012, the Ordinance was amended to strengthen restrictions on the use of personal data for direct marketing purposes. Currently, Hong Kong's regulation of direct marketing is one of the most complex and most stringent in the world. Other than the omnibus regulation, there are no specific data protection laws for industry sectors. However, many industry associations have guidelines and rules about the applicability of the Ordinance

The public body responsible for enforcement of the Ordinance is the Office of the Privacy Commissioner for Personal Data (香港個人資料私隱專員公署 or 'OPCPD'). In case of a complaint by an individual or a reasonable ground to believe that an act has been committed in breach of the Ordinance, the Commissioner may launch an investigation. Should any breach of the Ordinance be discovered the OPCPD may issue a notice ordering the data controller to apply a remedy and/or to prevent any recurrence of the contravention. 

Organisations are entitled to appeal against the OPCPD's enforcement notices. However, a failure to comply with an enforcement notice is an offence under the Ordinance and can be punished with a maximum fine of HK$50 000 (USD$64 270) and imprisonment for up to three years. If a breach was committed in order to obtain a financial gain, a higher penalty can be imposed and imprisonment for up to five years may apply. The unauthorised transfer of personal data to third parties for direct marketing constitutes such offence and is subject to a maximum penalty of 106,000.00 EUR. Continuing offenders may be subject to a daily penalty of HK$1 000. Moreover, Hong Kong has adopted a 'naming and shaming' policy geared at corporate reputation. The PCPD has the right to publish the results of any investigation, including naming any organisation that was involved, and to announce details of the contraventions committed. Individuals have the right to claim compensation through civil proceedings for damages that were caused to them due to breach of the Ordinance, including sums for injured feelings. 

The Octopus incident from 2010 had a huge impact on the current level of data privacy & protection enforcement in Hong Kong. Before the scandal was exposed, the Octopus Card was commonly used not only as a mean of electronic payment for public transport, restaurants, parking, but in many day-to-day situations such as registering students' attendance, confirming membership of certain organizations or entering one's apartment. Hong Kong people put a lot of trust in the Octopus Rewards Limited and the moment the news were announced that the company has been selling customers’ private information to other firms this trust was broken. With this revelation the PCDP became very active and in 2014 the OPCPD issued 90 enforcement notices and 20 warnings. Out of 20 cases the Commissioner referred to the police, one resulted in conviction. Most of enforcement actions undertaken by the OPCPD in 2014 related to the unnecessary and unjustified collection of data.

In 2015 871,000 Hong Kong individuals were affected by data breaches, compared with 47,000 in 2014. Public complaints addressed to the OPCPD have risen by almost 20% to 1,971. Of those complaints, 74% were made against the private sector, with the financial sector receiving the most complaints. 40% of all complaints related to the use of personal data without consent and 37% to the purpose and manner of data collection. The overall number of warnings and enforcement notices issued by the Commissioner dropped last year (17 warnings and 67 enforcement notices in 2015 compared with 20 warnings and 90 notices in 2014) referrals to the Police were up from 20 in convictions in 2015, compared to just one in 2014.

in 2014, the OPCPD issued five enforcement notices that required companies running tutorial service agency websites to stop unnecessary collection of private tutors' personal data. The same year 10 employment agencies for domestic helpers were directed by the OPCPD to cease the unnecessary and unjustified collection and online publication of overseas applicants' personal data. Additionally, two travel agencies were required to stop the collection and use of personal data of applicants willing to join their loyalty programmes.  

For a number of years, enforcement of data protection & privacy law in Hong Kong has been minimal. However, the attitude has changed after a direct marketing scandal in the summer of 2010 and other high profile leakages of personal data. These events have led to an overhaul of the regulatory regime in 2012 and have clearly illustrated how important it is for organisations to comply with privacy laws. Since then, there has been a significant increase in enforcement action by the OPCPD. 

The Privacy Commissioner currently remains very active and regularly publishes official guidelines on a wide range of privacy related topics. Regardless of the rising number of actions and the reasonable number of investigations conducted by the Commissioner, most of the complaints are resolved by data controllers undertaking a policy change or offering direct compensation to affected data subjects. The growing public interest followed by an active stance on data privacy enforcement by authorities, a high level of fines, and potential reputational risks of 'naming and shaming', make compliance with the Data Protection Ordinance one of the priorities for Hong Kong businesses. 

1. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

2. The Social Science Research of The Centre University of Hong Kong, Baseline Survey of Public Attitudes on Privacy and Data Protection 2014

https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/baselinesurvey2014.pdf 

3. Office of the Privacy Commissioner for Personal Data Hong Kong, The Ordinance at a Glance, https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html 

4. S. Lucchetti, Data protection in Hong Kong: an overview [Mallesons Stephen Jaques]

http://www.ibanet.org/Article/Detail.aspx?ArticleUid=a60910e3-5c07-424f-ab3c-b969bd364da5 

5. G. Kennedy, Collection and use of personal data for direct marketing — Lessons from the Octopus Case in Hong Kong [Hogan Lovells]

http://www.hldataprotection.com/2010/12/articles/cybersecurity-data-breaches/collection-and-use-of-personal-data-for-direct-marketing-lessons-from-the-octopus-case-in-hong-kong/ 

6. Mark Parsons, Hong Kong Privacy Regulator Issues 2015 Report, Outlines 2016 Focus, http://www.hoganlovells.com/en/blogs/data-protection-blog/hong-kong-privacy-regulator-issues-2015-report-outlines-2016-focus