Learn more about our comprehensive legal services.
Advising our clients on different opportunities and challenges of the industry.
News & Insights
Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently issued a booklet addressing the potential impact of the European Union’s (EU) General Data Protection Regulation 2016 (GDPR) on Hong Kong (HK) businesses. Coming into force on 25 May 2018, the GDPR replaces the 1995 EU Data Protection Directive and introduces a single set of data protection rules applicable to all EU member states, as well as any businesses that collect or process the personal data of any EU resident. HK businesses will need to comply with the GDPR if they:
Since HK’s Personal Data Privacy Ordinance (Cap. 486) (PDPO) is largely influenced by the now superseded 1995 EU Data Protection Directive, it is useful to note the differences between the PDPO and the GDPR. We highlight the more significant differences as follows:
Under the PDPO, a data controller has to take all practicable steps to inform an individual on or before collecting his/her personal data the purposes for which such data will be used. Once an individual provides his/her personal data, such individual may request that their data be deleted but cannot object to the way their data are processed unless the data will be used in relation to direct marketing (whereby data controllers must provide notification to, and obtain consent from, an individual before using his/her data for direct marketing purposes).
The PDPO does not explicitly proffer any accountability principle nor related privacy management tools. Rather, the PCPD encourages the adoption of a Privacy Management Programme (PMP) that embraces the notion of accountability as a foundation for promoting data privacy compliance. The PMP lists out a series of best practices for organisations to follow to build their privacy infrastructure.
– Where an organisation is a public authority or body;
– Where an organisation’s core activities involve regular and systemic monitoring of data subjects on a large scale
– Where an organisation’s core activities involve large scale processing of special data categories (e.g. sensitive personal data such as health records, or data relating to criminal convictions or offenses).
Data protection officers must have sufficient expert knowledge (commensurate with the processing activities for which he/she is responsible), oversee compliance with data protection laws and regulations, and face Data Protection Authorities in the event of a dispute.
In contrast, the PDPO does not require the appointment of any data protection officer. Rather, the appointment of a data protection officer is recommended as a best practice (in order to preserve reputational value) under the PMP. Such appointment may entail reviewing an organisation’s current operating structure and designating the data protection officer as an executive-level staff member.
The provision of such notifications is voluntary in HK; there is no binding obligation or stipulated timeframe for doing so.
On the other hand, the PDPO does not require procuring an individual’s consent as a pre-requisite for collecting personal data unless at the time of collection, the data user notifies the data subject that provision of his or her data is only voluntary as opposed to obligatory (the data user must say whether provision of the data is voluntary or obligatory at the time of collection), or such data are used for a new purpose (i.e. a purpose not directly related to the original collection purpose), or used or transferred for direct marketing purposes. In such cases, consent must be informed, voluntary, and express – it cannot be inferred from inaction or silence. Nor does the PDPO promulgate any parental consent requirement; instead, the PDPO allows parents or legal guardians of minors to give prescribed consent on their behalf if the parent or legal guardian has reasonable grounds to believe that the new purpose for using data may be in such minor’s interest.
– Systematic and extensive evaluation of personal data via automated processing (including profiling), and on which decisions are made producing legal effects on, or significantly affecting, individuals;
– Large-scale processing of sensitive personal data (biometric data, data relating to criminal offences, etc.); or
– Systematic monitoring of public areas on a large scale.
According to guidance issued by the PCPD, privacy impact assessments are encouraged under certain circumstances (e.g. prior to installing security cameras in public places) but HK law does not impose any obligation to conduct them.
By comparison, failure to comply with the PDPO (including any of the Data Protection Principles listed in Schedule 1 thereto) does not automatically trigger any sanctions. In cases of non-compliance, the PCPD can issue an enforcement notice directing the data user to remedy or fix the contravention. Statutory fines for failing to comply with an enforcement notice range from HK$50,000 to HK$100,000, though for direct marketing offences the relevant penalties are much higher (ranging from HK$ 500K to HK$ 1M, plus up to five years imprisonment) as they are criminal offences. The PCPD has no power to directly levy administrative fines or penalties.
In light of the breadth and extent of the GDPR, businesses facing the GDPR’s compliance requirements should develop an overall privacy framework, document policies and procedures, and assign accountability for privacy policies and procedures.
As a law firm committed to Hong Kong, we are dedicated to assisting businesses in Hong Kong to comply not only with Hong Kong law but also other applicable laws.
 Per article 4 GDPR, “profiling” means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person…”
 Article 21 GDPR
 Part 6A of the PDPO also gives individuals the right to opt-out from use of his/her personal data in direct marketing
 See “Privacy Management Programme—A Best Practice Guide” issued by the Personal Data Privacy Department
 Article 37(1) GDPR
 “Large scale” is not defined under the GDPR, but according to the EU Guidelines on Data Protection Officers certain factors should be evaluated in determining scale:
 Per article 4 GDPR, “personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
 Article 33 GDPR
 Article 34(3) GDPR
 The PCPD published Guidance on Data Breach Handling and the Giving of Breach Notifications which explains steps for giving notification (which is recommended to be given to affected individuals or organisations “as soon as possible”)
 See articles 6(1)(a) to (f) of the GDPR
 Article 7(4) GDPR states that in assessing whether consent was freely given, account shall be taken of… whether “…performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”.
 Pursuant to Data Protection Principle 1, Schedule 1 PDPO
 Article 35 GDPR
 Refer to “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk for the purposes of Regulation 2016/679” (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236)
 Article 35(3) GDPR
 See “Information Leaflet on Privacy Impact Assessments” (https://www.pcpd.org.hk/english/resources_centre/publications/files/InfoLeaflet_PIA_ENG_web.pdf)
 Pursuant to section 50 PDPO
 Section 50A PDPO
 Direct marketing offences are dealt with under Part 6A of the PDPO
 See sections 35J(5), 35K(4), and 35L(6) PDPO
Subscribe to Publications
Sign up for our regular updates covering the latest legal developments, regulations and case law.
For media enquiries please contact us at firstname.lastname@example.org.
Tel: +852 2825 9211