Day: May 29, 2024

Personal Data Protection Law in Hong Kong

Hong Kong’s statutory and common law privacy laws protect personal data. These laws apply to a person’s right to privacy and the prohibition on arbitrary interference with his family, home or correspondence. In addition, the Hong Kong Declaration of Human Rights stipulates that a person may not be subjected to unlawful attacks on his honour and reputation.

However, these statutory and common law provisions do not provide a legal basis for processing personal data outside the territory of Hong Kong. Instead, a legal basis for processing personal data must be provided under the Personal Data (Privacy) Ordinance (PDPO). The PCPD has published recommended model clauses for this purpose. These model clauses are designed for the situations where a Hong Kong data user transfers personal data to a foreign entity and/or between two entities one of which is located outside Hong Kong and the other controlled by the Hong Kong data user.

PDPO requires a data user to fulfill a broad set of obligations, including complying with six DPPs (Data protection principles). These core requirements are triggered when data is collected and must be satisfied regardless of whether the purpose for collecting the personal data is for use within or outside Hong Kong.

For example, the PDPO states that personal data must be collected for a lawful purpose and the purposes must be directly related to a function or activity of the data user. The PDPO also states that personal data must be adequate but not excessive for the purpose of collection.

Furthermore, a Hong Kong data user is required to inform data subjects of the purposes for which personal data will be collected. This requirement is fulfilled when the data user issues a Personal Information Collection Statement (“PICS”) to the data subject prior to collecting the personal data.

Finally, a Hong Kong data user must obtain the consent of the data subject for collecting personal data and where processing takes place within the territory, the consent of the data subject must be express. However, this requirement is markedly less onerous than the GDPR’s requirement to obtain the consent of the data subject for each purpose for which the personal data is processed.

Moreover, the PDPO provides that data users are liable for their agents and contractors’ breach of a PDPO obligation even though such breaches may take place outside of Hong Kong. This principle is similar to the European Union’s “data processor liability” principle which has been adopted by a number of countries.

For the record, HK Telecom has several data plans that include unlimited free internet access: a prepaid HK$ 88 30-day plan with a speed of 3.6 Mbps; activate by dialing *101*420#; and an add-on for US, Canada, Australia, New Zealand at HK$ 268 for 5 GB for 8 days. Each package has a FUP of 15 GB after which usage will be throttled to 128 kbps. These packages are available on the mobile app Telecom OnGo.