The Privacy Commissioner (“PCO”) has the power to conduct investigations, inspect data privacy systems, issue enforcement notices and submit matters to the police for criminal investigation or prosecution.
Individuals can file complaints with the PCO for investigation and civil claims in the court. Individuals who have suffered harm from a contravention of Hong Kong data protection law may apply to the PCO for legal assistance in obtaining information and/or pursuing claims against data users.
Fines of up to HK$1,000,000 and up to 5 years imprisonment for direct marketing offences. Failure to comply with an enforcement notice issued by the PCO is punishable by a fine of up to HK$50,000 and up to 2 year imprisonment (with fines of up to HK$100,000 and up to 2 years imprisonment for recalcitrant behaviour). Continuing non-compliance attracts a daily penalty of up to HK$1,000 (or HK$2,000 for recalcitrant behaviour).
Private prosecution; damages for injury to feelings.
Selected Enforcement Actions/ General Comments
Here are some examples of recent enforcement action in Hong Kong:
- In 2010, the PCO investigated Octopus Rewards Limited for sale of personal data of over 2 million customers. The sale of personal data without the consent of the data subject be was made a criminal offence under the Personal Data (Privacy) (Amendment) Ordinance, which came into force in 2012 .
- The amended Personal Data (Privacy) Ordinance dramatically increases penalties and introduce new offences particularly focused on direct marketing and unauthorized disclosure of personal data.
- In 2012, the PCO also investigated various local retailers in relation to their collection and use of customer personal data in connection with customer loyalty programs. The PCO required the retailers to cease collecting customers’ Hong Kong identity card numbers, delete any such data already collected, and give more comprehensive notifications to customers upon the collection of their personal data.