Personal Data Protection in Hong Kong

Posted on by

The current statutory and common law in Hong Kong protects personal data. It stipulates that no person may be subjected to arbitrary interference with his privacy, family, home or correspondence and that no one shall be subjected to unlawful attacks on his honour and reputation. In addition, a breach of these provisions carries a criminal sanction. These offences are punishable by imprisonment and/or a fine.

However, there are a number of exemptions from the criminal offences in this regard. The most significant exception is the exemption relating to “the collection, disclosure or use of data of persons not concerned with a public interest” (section 33).

The application of the exemption in question is based on the consideration that, while it is important to safeguard the rights and interests of individuals, it should also be a matter for the Government to balance these interests against the legitimate needs of society as a whole.

This consideration is borne out by the fact that the exemption is largely based on the principle of proportionality. The collection and use of data of persons not concerned with telecommunications should only be permitted if it is necessary for a specific purpose, and is not excessive in relation to that purpose.

Another consideration is the principle of necessity. The collection and use of personal data must be necessary for a specific purpose, and it is not permissible to collect or process that data for any other purposes. This principle is reflected in the PDPO’s six data protection principles (“DPP”).

The DPPs are core privacy obligations of data users and are designed to ensure that data use is conducted fairly, lawfully and in compliance with an individual’s statutory rights. In particular, the DPPs require that data users inform a data subject of the purposes for which his personal data will be collected, and the classes of persons to whom it may be transferred, prior to its collection. In addition, once personal data has been collected, it must not be used for a new purpose without the voluntary and express consent of the data subject.

Moreover, the DPPs contain further requirements in respect of data transfers which are relevant to Hong Kong. These include the requirement to agree to standard contractual clauses or to contribute to a transfer impact assessment, where a Hong Kong data user is transferring personal data of EEA citizens from an EEA data exporter. These obligations are in addition to the statutory recognition of the liability of data users for their acts of agents under the PDPO.

In view of the above, data hk will continue to provide valuable insights on key developments in the field of data law and policy. We look forward to your continued support. Please do not hesitate to contact us with any enquiries or comments you may have. Thank you very much.

Gambling Blog