Personal Data (Privacy) Law in Hong Kong A Practical Guide on Compliance (Second Edition)

Author / Editor
In stock
Add to Wish List
The idea of a right to privacy, which arose in reaction to the rapid rise of newspapers, instant photography and the “paparazzi” of the 19th century, has evolved into a constitutional right in much of the developed world. It is enshrined in Hong Kong through Articles 28, 29, 30 and 39 of the Basic Law. Hong Kong stands proud as the first jurisdiction in Asia to enact legislation to safeguard personal data in the form of the Personal Data (Privacy) Ordinance, Cap 486 (“the Ordinance”) which came into force in 1996. At its centre are the six Data Protection Principles based on the 1980 OECD Guidelines. The office of the Privacy Commissioner for Personal Data was created under this legislation to provide oversight and ensure compliance. The Octopus scandal in mid-2010 eventually led to substantial changes being made to the Ordinance that were enacted in 2012 and 2013, the main amendments being the Direct Marketing provisions and the provision of legal assistance and representation to aggrieved persons. In this digital age, the Ordinance is proving to be the main safeguard of our privacy rights.

The Data Protection Principles seek to create broad common principles based on fairness that apply to the public and private sectors. The passage of twenty years since the enactment of the Ordinance has given rise to a substantial body of case law and administrative decisions on these principles and the other provisions of the Ordinance. The new amendments have already been the subject of judicial scrutiny. This publication, which replaces its predecessor, has the dual aim of becoming a practitioner’s guide on the important subject of personal data privacy, containing, as it does, a detailed exposition of the principles and provisions in the Ordinance and a comprehensive source of reference materials, and of enabling the Privacy Commissioner to discharge his major duty to promote awareness and understanding of the Ordinance.

The second edition includes not only a full discussion of these principles, but also summaries of all the seminal cases and Administrative Appeals Board rulings in this area, as well as a comprehensive list of all the pertinent cases.
Pub. Date
Jan 22, 2021
884 pages
178 x 254 mm
The publication of the second edition of this book marks the Silver Jubilee of the enactment of the Personal Data (Privacy) Ordinance, Cap 486, Laws of Hong Kong. There is little dispute that over the last quarter of a century, our daily lives have never been more impacted by the data-related developments than any other 25-year periods in human history.

It is also my fifth year in the post of Privacy Commissioner of Hong Kong. During the last five years, I have witnessed significant parts of the digital evolution, the change of the privacy landscape and the transformation of the associated ecosystems in Hong Kong, mainland of China and other major jurisdictions around the globe, whereby data is captured, analysed and deployed through a collection of infrastructures, analytics and applications. The rapid ICT developments, typically the Big Data, Internet of Things, cloud computing, Fintech, robotics, Artificial Intelligence and facial recognition, are changing our ways of life and work patterns, from leisure to learning; from seminars to webinars; from cashless shopping to open banking; from direct marketing calls to personalised programmatic advertising; from invited consent to uninformed behavioural tracking or profiling; from data breaches to weaponisation of data; from personal appraisal files to public utilities and health care; and from locking to sharing of data. As privacy-protective technology will continue to grow in power and magnitude, so will privacy-intrusive one. Inevitably our personal data privacy right is affected one way or another.

The ubiquitous collection and use of our personal data by organisations, often without our knowledge or genuine consent, tend to be accepted as “one of those things” or a price to pay for personal convenience and the vanity of being trendy. Some may be tempted to find shelter in the comfort zone of “we have nothing to hide”. The truth of the matter is not the lucrative wealth that data miners could accumulate as data is money nowadays, but our data, which belongs to us, may be abused or misused, often without our knowledge, in unlawful acts, civil or criminal.

In the past, personal data privacy was often taken as a refuge or sanctuary of individual’s wrongful acts by not providing the information. Now it can be weaponised to inflict harm, albeit not physical but psychological, on an individual as in doxxing cases. Whilst the value of personal data is appreciating, criminal acts involving personal data have emerged in an unprecedented way. Farther from home, the magnitude and severity of the use or sharing of data by tech-giants without fully appraising the risks involved have seemingly flown in the face of the regulations and dwarfed the effectiveness of the hefty fines imposed by the relevant overseas data protection authorities.

Part 1 Introduction

Chapter 1 Introduction 

Part 2 Definitions

Chapter 2 The Meaning of “Personal Data”

Chapter 3 The Meaning of “Collect”

Chapter 4 The Meaning of “Data User”

Part 3 Data Protection Principles under Schedule 1 of the Ordinance

Chapter 5 Data Protection Principle 1

Chapter 6 Data Protection Principle 2

Chapter 7 Data Protection Principle 3

Chapter 8 Data Protection Principle 4 

Chapter 9 Data Protection Principle 5

Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5

Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5

Part 4 Selected Provisions of the Ordinance

Chapter 12 Exemption Provisions in Part 8

Chapter 13 The Commissioner’s Statutory Duties in Investigations

Chapter 14 Data Breach Handling and Notifications

Chapter 15 Criminal Offences

Part 5 Appendices

Appendix I Full text of the Personal Data (Privacy) Ordinance (Cap 486)

Appendix II The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance

Appendix III Selected Case Notes on Court Judgments

Appendix IV Selected Case Notes on Administrative Appeals Board Decisions

Appendix V Comparative table of the PDPO and the GDPR

Appendix VI Checklist for Data Users in Ensuring Compliance with the Ordinance

Appendix VII Data Subject’s Rights When His Personal Data Privacy Interest is Infringed

Appendix VIII List of Publications of the Commissioner

Part 6 Bibliography


List of Court Cases and Administrative Appeals Board Decisions

Mr. Stephen Kai-yi WONG

Mr. Stephen WONG is the former Privacy Commissioner for Personal Data in Hong Kong. He is also a Barrister and Adjunct Professor of the School of Law, City University of Hong Kong.

Professor Guobin ZHU

Guobin ZHU is a Professor in the School of Law, City University of Hong Kong and also the Director of City University of Hong Kong Press.