I. Legal framework
Constitutional privacy framework
On July 1, 1997, the People's Republic of China (PRC) resumed its sovereignty over Hong Kong and established it as a "Special Administrative Region" (SAR). Under the principle of "one country, two systems", the laws of the Hong Kong SAR were incorporated into the Chinese legal system by the enactment of the Basic Law, often described as Hong Kong's "mini-constitution". Under this arrangement, the Hong Kong SAR enjoys a high degree of autonomy, including having its own personal data and privacy regulation regime.
The Basic Law of the Hong Kong SAR contains several privacy protections. Article 29 provides that the
homes and other premises of Hong Kong residents shall be inviolable. Arbitrary or unlawful search of, or intrusion into, a resident's home or other premises shall be prohibited."
Article 30 provides that the
freedom and privacy of communications of Hong Kong residents shall be protected by law. No department or individual may, on any grounds, infringe upon the freedom and privacy of communications of residents except that the relevant authorities may inspect communications in accordance with legal procedures to meet the needs of public security or of investigation into criminal offences."
In addition, Article 14 of the Hong Kong Bill of Rights, which has incorporated Article 17 of the International Covenant on Civil and Political Rights, provides that:
no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation."
The Bill of Rights Ordinance only binds the government and public authorities.
Statutory rules related to privacy
In 1995, after six years of study by the Law Reform Commission,1 Hong Kong enacted a Personal Data (Privacy) Ordinance (PDPO),2 which came into effect in 1996. Following the standard set by the Organisation for Economic Cooperation and Development (OECD) 1980 Guidelines for Protection of Privacy and Transborder Flows of Personal Data, the PDPO adopts six "fair information principles" to regulate notice, collection, accuracy, use, security, and access to "data," broadly defined as "any representation of information (including an expression of opinion) in any document, and includes a personal identifier."3 It also imposes additional restrictions on certain types of processing, namely data matching and direct marketing. The former requires the prior approval of the Privacy Commissioner, while the latter requires that a "data user" inform the "data subject" of the opportunity to opt out of further approaches.4
The Ordinance applies to public and private "data users" and to manual and electronic records. Violations of the PDPO can be either criminal or civil offenses.5 However, under the Interpretation and General Clauses Ordinance,6 it is not applicable to PRC government agencies in the Hong Kong SAR.7
Since 2006 the government has been discussing the revision of the Ordinance. A working group was set up to address issues of public concern, safeguard personal data privacy rights while protecting the public interest, enhance the efficacy of regulation under the Ordinance, harness matters that will have significant privacy impact, and deal with technical and necessary amendments.8
In July 2011 the Personal Data (Privacy) Amendment Bill was tabled before the Legislative Council.9 This was largely a response to the Octopus Incident (see below), when it was discovered that major companies in Hong Kong had been selling their clients' personal data without their express consent. The discovery caused a large public outcry and prompted legislative reform. In June 2012, the Personal Data (Privacy)(Amendment) Ordinance was passed by the Legislative Council.10 Most of the provisions of the Amendment Ordinance came into operation on 1 October 2012, while the provisions on the use, transfer and sale of personal data for direct marketing purposes and the legal assistance scheme provided by the Privacy Commissioner is likely to come into effect in early 2013.
Under the new law, there are three major areas of amendments. First, a new regime governing direct marketing and the sale of personal data is set up under Part IVA of the consolidated Ordinance. In both situations, data subjects must be informed and given notice about the kinds of personal data to be used, the classes or persons/companies to whom the data may be provided, and the classes of goods or services to be offered or advertised. Data subjects must also be given the choice of opting out in an easily readable and understandable manner. Second, a new offence is suggested governing the disclosure of personal data obtained without consent from data users with the intent of obtaining gain or causing loss to the data subject, or if the disclosure will cause psychological harm to the data subject.11 Third, the Privacy Commissioner will be given the power to give legal assistance to aggrieved parties to claim compensation under the PDPO.12
Data protection authority
Under the PDPO, the Office of the Privacy Commissioner (PCPD) was established to promote and enforce compliance with statutory requirements.13 The PCPD is comprised of six divisions: Administration, Compliance, Corporate Communications, Operations, Legal, and Policy.14 It is required by law to publish an annual report and has done so since 1997.15 The Commissioner is given strong enforcement powers modelled on those contained in the United Kingdom Data Protection Act.16 In addition to investigating complaints, the Commissioner may initiate independent investigations and conduct inspections of selected data users. Some violations of the PDPO constitute criminal offences. In other cases, an injured party may seek compensation through civil proceedings. If the Commissioner believes that violations may continue or be repeated, it may issue enforcement notices to direct remedial measures.17
The PCPD receives enquiries through its telephone hotline, in person, or in writing.18 Not all the complaints received are formally investigated by the PCPD for a range of reasons, from the complaints falling outside the provisions of the Ordinance to a lack of prima facie evidence. Also, many complaints are not formally investigated because the parties involved mediate a settlement. Between 1996 and 2011, the PCPD received 232,942 enquiries and 11,690 complaints.19 Of these, 152 cases were heard before the Administrative Appeal Board and 22 cases were heard before a court.20
Data security on the Internet was the major topic of concern during 2006-2007. Two investigation reports were published by the PCPD on this subject. The Commissioner has collaborated with IT professionals to develop a clear set of privacy-compliant best practices, giving guidance for handling IT security and the protection of personal data.21
The collection of biometric data was also a topic of concern, particularly with the increasingly widespread use of fingerprint scanners for purposes unrelated to security or detection of crime, for example, for recording attendance by employers. The Commissioner discourages the collection of fingerprint data from children. Whenever practicable, the data user should provide the data subject with a less privacy-invasive alternative than the provision of biometric data.22
The Commissioner may issue codes of conduct to provide guidance on compliance with the provisions of the Ordinance's. Codes are legally subordinate, but have evidentiary relevance in determining whether a contravention of the ordinance has occurred. By 2011, the Commissioner had issued five codes of practice and guidelines: the Code of Practice on the Identity Card Number and other Personal Identifiers;23 the Code of Practice on Consumer Credit Data;24 the Code of Practice on Human Resource Management;25 the Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators,26 and the Privacy Guidelines: Code of Practice on Monitoring and Personal Data Privacy at Work.27 A promotional leaflet entitled "FAQs on Spam" was published by the Office of the Telecommunication Authority in consultation with the PCPD and the Hong Kong Internet Service Providers Association. As the notion of privacy and data protection spread among society, the PCPD's role has become increasingly important.
- 1. Hong Kong Law Reform Commission, 1994 Report on the Law Relating to the Protection Of Personal Data (1994).
- 2. Personal Data (Privacy) Ordinance, Chapter 486, December 20, 1997; See generally M. Berthold & R. Wacks, Hong Kong Data Privacy Law: Territorial Regulation in a Borderless World (Sweet & Maxwell Asia 2002).
- 3. Personal Data (Privacy) Ordinance, (Hong Kong), 1996, Chapter 486, s. 2, "data." Personal data is defined as "any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable."
- 4. Id. at s.34.
- 5. US State Department Human Rights Report 2004 - Hong Kong, available athttp://www.state.gov/g/drl/rls/hrrpt/2004/41640.htm#hongkong.
- 6. Interpretation and General Clauses Ordinance, Chapter 1.
- 7. See J. Holvast et al., The Global Encyclopedia of Data Protection Regulation Hong Kong 4.B (Kluwer 2000).
- 8. PCPD Annual Report (2008-2009).
- 9. The Personal Data (Privacy) Amendment Bill, July 2011 at http://www.legco.gov.hk/yr10-11/english/bills/b201107081.pdf
- 10. Personal Data (Privacy) (Amendment) Ordinance 2012, Ord. No. 18 assessed 20 July 2012.
- 11. Section 36 of the Amendment Ordinance replaces the old s.64 with the present one.
- 12. Section 39 of the Amendment Ordinance adds s. 66B to the PDPO.
- 13. Section 5, Personal Data (Privacy) Ordinance, (Hong Kong), 1996, c. 486.
- 14. http://www.pco.org.hk/english/about/orgchart.html.
- 15. See Personal Data (Privacy) Ordinance, (Hong Kong), 1996.
- 16. Data Protection Act 1998 (United Kingdom), 1998, c. 29.
- 17. As an example, a notice was issued in 2002 against a former telemarketer who had improperly collected and subsequently used personal information of hotel guests. See Privacy Commissioner for Personal Data, Annual Report 2001-2002, 26-27 (Hong Kong, PCO, 2002).
- 18. The PCO has indicated that in the period from June 2004 until June 2005, 14,609 enquiries were made via the PCO's telephone hotline and an additional 1,115 enquiries were received in writing. In the same period, a total of 889 complaints were filed with the Office of the Privacy Commissioner for Personal Data and a total of 35 investigations were commenced.
- 19. The data was an accumulation of available information from the PCPD Annual Reports from 1996 to 2010, available at http://www.pcpd.org.hk/english/publications/annualreport.html.
- 20. Data on complaints before the Privacy Commissioner's Office were from a compilation the Annual Reports from the PCPO. Other data, see Anne SY Cheung, 'An Evaluation of Personal Data Protection in Hong Kong Special Administrative Region 1995-2012' (work in progress).
- 21. "Recommended Procedures for IT Practitioners on Personal Data Handling," Privacy Commissioner for Personal Data, October 2006.
- 22. Id.
- 23. Privacy Commissioner for Personal Data, Code of Practice on the Identity Card Number and other Personal Identifiers (Hong Kong, PCO, 1997).
- 24. Privacy Commissioner for Personal Data, Code of Practice on Consumer Credit Data (Hong Kong, PCO, April 2011). Issued on 27 February 1998, effective as of November 27, 1998; see also Privacy Commissioner for Personal Data, Consultation Paper on Amendments at http://www.pcpd.org.hk/english/publications/files/CCDCode_2011_e.pdf..
- 25. Privacy Commissioner for Personal Data, Code of Practice on Human Resource Management, (Hong Kong, PCO, 2000).
- 26. Privacy Commissioner for Personal Data, Press Release, "New Code Launched for Fixed and Mobile Service Operators to Protection Customer Information," June 17, 2002 , available at http://www.pco.org.hk/english/infocentre/press.html; see also Privacy Commissioner for Personal Data, Code of Practice on Protection of Customer Information for Fixed and Mobile Service Operators, (Hong Kong, PCO, 2002).
- 27. Privacy Commissioner for Personal Data, Code of Practice on Monitoring and Personal Data Privacy at Work, (Hong Kong, PCO, 2002).