Data Protection Enforcement in Hong Kong

Administrative Remedies

The Privacy Commissioner (“PCO”) has the power to conduct investigations, inspect data privacy systems, issue enforcement notices and submit matters to the police for criminal investigation or prosecution.

Civil Remedies

Individuals can file complaints with the PCO for investigation and civil claims in the court. Individuals who have suffered harm from a contravention of Hong Kong data protection law may apply to the PCO for legal assistance in obtaining information and/or pursuing claims against data users.

Criminal Remedies

Fines of up to HK$1,000,000 and up to 5 years imprisonment for direct marketing offences. Failure to comply with an enforcement notice issued by the PCO is punishable by a fine of up to HK$50,000 and up to 2 year imprisonment (with fines of up to HK$100,000 and up to 2 years imprisonment for recalcitrant behaviour). Continuing non-compliance attracts a daily penalty of up to HK$1,000 (or HK$2,000 for recalcitrant behaviour).

Other Remedies

Private prosecution; damages for injury to feelings.

Selected Enforcement Actions/ General Comments

Here are some examples of recent enforcement action in Hong Kong:

  • In 2010, the PCO investigated Octopus Rewards Limited for sale of personal data of over 2 million customers. The sale of personal data without the consent of the data subject be was made a criminal offence under the Personal Data (Privacy) (Amendment) Ordinance, which came into force in 2012 .
  • The amended Personal Data (Privacy) Ordinance dramatically increases penalties and introduce new offences particularly focused on direct marketing and unauthorized disclosure of personal data.
  • In 2012, the PCO also investigated various local retailers in relation to their collection and use of customer personal data in connection with customer loyalty programs. The PCO required the retailers to cease collecting customers’ Hong Kong identity card numbers, delete any such data already collected, and give more comprehensive notifications to customers upon the collection of their personal data.
  • In 2014, the PCO conducted a survey of 60 popular mobile applications developed by Hong Kong entities and found that their transparency in terms of privacy policy was clearly inadequate and there was no noticeable improvement compared with the results of a similar survey conducted in 2013. The PCO has also issued a warning and enforcement notice against 2 mobile application operators for inadequate protection and excessive collection of personal data.