Personal Data (Privacy) Law in Hong Kong A Practical Guide on Compliance (Second Edition)
The Data Protection Principles seek to create broad common principles based on fairness that apply to the public and private sectors. The passage of twenty years since the enactment of the Ordinance has given rise to a substantial body of case law and administrative decisions on these principles and the other provisions of the Ordinance. The new amendments have already been the subject of judicial scrutiny. This publication, which replaces its predecessor, has the dual aim of becoming a practitioner’s guide on the important subject of personal data privacy, containing, as it does, a detailed exposition of the principles and provisions in the Ordinance and a comprehensive source of reference materials, and of enabling the Privacy Commissioner to discharge his major duty to promote awareness and understanding of the Ordinance.
The second edition includes not only a full discussion of these principles, but also summaries of all the seminal cases and Administrative Appeals Board rulings in this area, as well as a comprehensive list of all the pertinent cases.
It is also my fifth year in the post of Privacy Commissioner of Hong Kong. During the last five years, I have witnessed significant parts of the digital evolution, the change of the privacy landscape and the transformation of the associated ecosystems in Hong Kong, mainland of China and other major jurisdictions around the globe, whereby data is captured, analysed and deployed through a collection of infrastructures, analytics and applications. The rapid ICT developments, typically the Big Data, Internet of Things, cloud computing, Fintech, robotics, Artificial Intelligence and facial recognition, are changing our ways of life and work patterns, from leisure to learning; from seminars to webinars; from cashless shopping to open banking; from direct marketing calls to personalised programmatic advertising; from invited consent to uninformed behavioural tracking or profiling; from data breaches to weaponisation of data; from personal appraisal files to public utilities and health care; and from locking to sharing of data. As privacy-protective technology will continue to grow in power and magnitude, so will privacy-intrusive one. Inevitably our personal data privacy right is affected one way or another.
The ubiquitous collection and use of our personal data by organisations, often without our knowledge or genuine consent, tend to be accepted as “one of those things” or a price to pay for personal convenience and the vanity of being trendy. Some may be tempted to find shelter in the comfort zone of “we have nothing to hide”. The truth of the matter is not the lucrative wealth that data miners could accumulate as data is money nowadays, but our data, which belongs to us, may be abused or misused, often without our knowledge, in unlawful acts, civil or criminal.
In the past, personal data privacy was often taken as a refuge or sanctuary of individual’s wrongful acts by not providing the information. Now it can be weaponised to inflict harm, albeit not physical but psychological, on an individual as in doxxing cases. Whilst the value of personal data is appreciating, criminal acts involving personal data have emerged in an unprecedented way. Farther from home, the magnitude and severity of the use or sharing of data by tech-giants without fully appraising the risks involved have seemingly flown in the face of the regulations and dwarfed the effectiveness of the hefty fines imposed by the relevant overseas data protection authorities.
Part 1 Introduction
Chapter 1 Introduction
Part 2 Definitions
Chapter 2 The Meaning of “Personal Data”
Chapter 3 The Meaning of “Collect”
Chapter 4 The Meaning of “Data User”
Part 3 Data Protection Principles under Schedule 1 of the Ordinance
Chapter 5 Data Protection Principle 1
Chapter 6 Data Protection Principle 2
Chapter 7 Data Protection Principle 3
Chapter 8 Data Protection Principle 4
Chapter 9 Data Protection Principle 5
Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5
Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5
Part 4 Selected Provisions of the Ordinance
Chapter 12 Exemption Provisions in Part 8
Chapter 13 The Commissioner’s Statutory Duties in Investigations
Chapter 14 Data Breach Handling and Notifications
Chapter 15 Criminal Offences
Part 5 Appendices
Appendix I Full text of the Personal Data (Privacy) Ordinance (Cap 486)
Appendix II The Codes of Practice Issued by the Commissioner under Section 12 of the Ordinance
Appendix III Selected Case Notes on Court Judgments
Appendix IV Selected Case Notes on Administrative Appeals Board Decisions
Appendix V Comparative table of the PDPO and the GDPR
Appendix VI Checklist for Data Users in Ensuring Compliance with the Ordinance
Appendix VII Data Subject’s Rights When His Personal Data Privacy Interest is Infringed
Appendix VIII List of Publications of the Commissioner
Part 6 Bibliography
List of Court Cases and Administrative Appeals Board Decisions