Cyber Security in Hong Kong

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Accessing third party data without authorisation may constitute offences under various Hong Kong ordinances, summarised below:

  • Unauthorised access to a computer by telecommunication: Under section 27A of the Telecommunications Ordinance (Chapter 106 of the Laws of Hong Kong) it is an offence to use telecommunications1 to affect a computer to obtain unauthorised access to any program or data held in a computer. The offence is punishable by a fine of HK$20,000. This is Hong Kong’s “hacking” offence.
  • Access to computer with criminal or dishonest intent: Under section 161 of the Crimes Ordinance (Chapter 200 of the Laws of Hong Kong) it is an offence to obtain access to a computer with criminal or dishonest intent to make gain for oneself or another, or to cause loss to another. The offence is punishable by up to five years’ imprisonment.
  • Other property crimes: A person accessing data without authorisation may also be guilty of theft, burglary or fraud under sections 7, 11(3A) and 16A of the Theft Ordinance (Chapter 210 of the Laws of Hong Kong).2 Further, the offence of destroying or damaging property now also includes “misuse of a computer” (Crimes Ordinance, ss. 59, 60)
  • Unauthorised disclosure of personal data: From a data privacy perspective, section 64 of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) makes it an offence to disclose personal data of a data subject obtained from a data user without such data user’s consent for purposes of making financial gain or causing financial loss, or to cause psychological harm to the data subject. The offence is punishable by a fine of HK$1,000,000 and up to five years’ imprisonment.

There is no specific offence relating to storing data which has been accessed without authority, however, if a person stores data with a view to aiding and abetting the commission of any of the above offences, they may be guilty of conspiracy to commit such offences and would be punishable in the same manner as the relevant offence (Crimes Ordinance, s. 159A).

CIVIL ACTION

Unauthorised access to third party data may also be sufficient basis to initiate civil proceedings against a wrongdoer on a number of possible grounds, including: breach of contract; breach of confidence; trespass to chattel; conversion; misuse of private information; and the economic tort of intentional infliction of harm by unlawful means. Many of these grounds are untested in Hong Kong, but they would at the very least be arguable depending on the circumstances of the unauthorised access. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? If a data user cannot itself identify who accessed the relevant data and how they used it, the data user can try to obtain this information by working with the Hong Kong Police Force or independent third party forensic investigators. For civil actions, there are a number of legal mechanisms by which a data user can procure the assistance of a third party, such as a cloud service provider, to obtain this information, including:

  • Norwich Pharmacal Orders: A person who has been wronged may apply to the court for Norwich Pharmacal discovery against any other person who has become involved, directly or indirectly, in the wrongful acts of others so as to facilitate their wrongdoing, whether by voluntary action on his/ her part or because it was his/her duty to do as he/she did. The court may order disclosure of the names and addresses of each of the wrongdoers, and other information, so that appropriate remedies can be pursued against the wrongdoer. The cost of complying with Norwich Pharmacal orders is normally borne by the requesting party.
  • Anton Pillar Orders: The court may, on application, order the detention, custody and preservation of any property, which is the subject matter of a current or pending civil action or as to which any question may arise in it, or for the inspection of any such property in the possession of a party to the cause or matter. To enable such orders to be carried out, the court may authorise any person to enter upon any land or building in the possession of any party to the action.
  • Ex Parte Relief: The court also has the inherent jurisdiction to grant ex parte relief, without notice, authorising the detention, seizure or preservation of property as to which there is strong prima facie evidence that it consists of articles infringing the plaintiff’s rights (e.g. copyright, privacy rights), and to make an order that such articles be held in the custody of a responsible person on the plaintiff’s behalf.
  • Third Party Discovery: Once civil proceedings have commenced, formal discovery may be obtained from persons not party to the proceeding. Parties to an action can apply to the court for an order for discovery against a third party where that third party appears likely to have in its possession, custody or power any document which relates to the matters in the action. Costs of complying with the discovery request will generally be borne by the requesting party.

Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Yes, a party obtaining information or documentation pursuant to one of the above described legal processes will be limited to using such information or documentation only for the purposes for which they were obtained. Court orders will generally specify the limited purposes for which the relevant material is to be used. Any misuse of the material may be restrained by injunction or punishable as a contempt of court. For documents obtained through the formal discovery of documents process in civil litigation, there is an implied undertaking by a party obtaining such documents to use them only for purposes of conducting its own case, and not for any collateral or ulterior purpose. That party may apply to the court for permission to use the documents for other purposes, such as other proceedings or to disclose the documents to law enforcement authorities, however, such applications will generally only be granted in exceptional circumstances. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? Hong Kong civil proceedings are normally held in open court, however, ex parte applications for injunctions for orders of a restraining or compulsory nature, such as Anton Pillar or Norwich Pharmacal orders, would not normally be heard in public, particularly if a public hearing would prejudice the interests of justice. Certain matters relating to children, disabled persons and intellectually property rights are also more commonly heard in chambers not open to the public. When applying for Norwich Pharmacal orders in relation to third party, the applicant may also apply for a “gagging order” prohibiting the third party from disclosing the fact of the application, or compliance with it, to any other party. Gagging orders are generally only made in exceptional circumstances where the court considers there is a demonstrable risk that if the wrongdoer was made aware that he/she was being pursued that he/she would take steps to frustrate any claim or investigation against him/her. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? There is little risk of res judicata if no final determination on the merits of the proceeding has been rendered by a Hong Kong court. However, a claimant may encounter procedural obstacles if it undertakes simultaneous civil proceedings on substantially the same issues in two different jurisdictions. There is no mechanism by which a Hong Kong proceeding can be transferred to a court of another jurisdiction, but a claimant will be free to discontinue the Hong Kong claim with no adverse consequences so long as no final determination of the merits of the claim has been made by the Hong Kong court. Depending on the circumstances, claims can be discontinued either with or without permission of the court. Claims may be discontinued without the court’s permission not later than 14 days after service of a defendant’s defence. Discontinuing the claim would not be a bar to the plaintiff bringing another claim in respect of the same cause of action at a later time, however, the defendant will be entitled to his/her taxed (i.e. court assessed) costs. Claims may be discontinued with the court’s permission at any time, but only on terms ordered by the court. The court has broad discretion in making such order and can order that the plaintiff pay the defendant’s costs, or not. The court can order that no further action may be brought in respect of the cause of action, or the court may even refuse to grant permission to discontinue the claim and award judgment to the defendant. Is there an obligation in your jurisdiction to hold personal information securely? Yes, Data Protection Principle 4 in the Personal Data (Privacy) Ordinance requires that data users take all practical steps to ensure that personal data held by the data user are protected against unauthorised or accidental access, processing, erasure, loss or use. Further, if a data user engages a data processor, whether inside or outside Hong Kong, to process personal data on the data user’s behalf, the data user must adopt contractual and other means to keep the data secure. Various industry regulators have issued guidance and codes of conduct requiring regulated entities to take reasonable steps to implement adequate information security measures, but no concrete standards have yet been mandated. Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions? There are no formal requirements under Hong Kong law placing conditions on the transfer of personal data (or other information) to other jurisdictions. Section 33 of the Personal Data (Privacy) Ordinance does contain restrictions on the circumstances and jurisdictions to which personal data can be transferred outside of Hong Kong, however, this section is not yet in force and there is currently no timeline set for its enforcement. However, Data Protection Principle 1 does require that data users collecting personal data from data subjects notify them on or before collection of their personal data of not only the purposes for which the data will be put to use, but also the classes of transferees to whom such data may be transferred. Is there a generally applicable obligation to notify data subjects of a data breach in your jurisdiction? No. Please see the answer to the next question. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? No, there are no generally applicable mandatory data breach notification obligations in Hong Kong. However, the Privacy Commissioner has issued a Guidance Note on Data Breach Handling and the Giving of Data Breach Notifications” which recommends that where personal data is subject to a data breach that notifications be given to the Privacy Commissioner, affected data subjects and various other stakeholders. Are there sector specific mandatory data breach notification obligations in your jurisdiction? No, there are no sector specific mandatory data breach notification obligations in Hong Kong. However, various industry regulators do recommend notifications be made in the event of a data breach. For example, the Hong Kong Monetary Authority (HKMA), which regulates banks and other financial institutions, issued its Guidelines on Customer Data Protection which indicates that the HKMA expects regulated institutions to report data breaches to the HKMA and affected customers. Although not a prescriptive requirement, failure to meet this expectation could lead to disciplinary sanctions and/or other consequences imposed by the HKMA. Hong Kong public listed companies are subject to mandatory disclosure requirements in respect of “inside information” which could, if made public, materially affect the price of listed securities: refer s. 307B of the Securities and Futures Ordinance (Chapter 571 of the Laws of Hong Kong). Whether or not a data breach would constitute such inside information is a matter to be addressed by the directors of the listed companies having regard to the specific circumstances of the breach, but such disclosures are currently rare in Hong Kong.


1 “Telecommunications” includes transmission, emission or reception of communication by means of guided or unguided electromagnetic energy or both, other than any transmission or emission intended to be received or perceived directly by the human eye. 2 “Property” as defined in section 59 of the Crimes Ordinance includes any program or data held in a computer or a computer storage medium.