This post is also available in: 繁體中文 (Chinese (Traditional)) 简体中文 (Chinese (Simplified))

Data Privacy Law in Hong Kong – Overview

Hong Kong’s Data Privacy LawThe advancement of technology has not only reshaped the business landscape as we can imagine, but it has also opened the Pandora’s Box of data privacy in the cyber world. While data privacy remains one of the biggest concerns to many cyber users, many countries are updating their data protection laws to keep up with the evolving technology. From China’s Cybersecurity Law, Australia’s mandatory data breach notification scheme, to the EU General Data Protection Regulation (“GDPR”) that took the world by storm on 25 May 2018, personal data protection is currently the most talked issue globally.

Hong Kong, a country that always stays ahead and in-trend no matter how fast the technology evolves, has been one of the first Asia countries to enact a data privacy law. This article provides an overview of data privacy law in Hong Kong, including the relevant legislation, governing authorities, key definitions and Six Data Protection Principles.


An Overview of Hong Kong’s Data Privacy Law

The principal data protection law in Hong Kong is the Personal Data (Privacy) Ordinance (CAP.486) (the “PDPO”) that came into force in 1996. Primarily based on the Organisation for Economic Co-operation and Development’s Guidelines on the Data Protection Directive EC95/46, the data privacy law governs data protection and data privacy in Hong Kong.

The Privacy Commissioner for Personal Data (“PCPD”) has last conducted the statutory review of the PDPO in 2012, in which the review has led to the Amendments 2012 that highlighted the marketing-related obligations.


Important Definitions under PDPO

  1. Personal Data
    • PDPO defines that “Personal Data” means any information that relates to a living person and the information could be used to identify that said living person.
    • The data exists in a form that access to or processing of the data is practicable. Processing of data includes amendment, augmentation, deletion, or rearrangement of data in any means.
    • Instances of personal data: names, phone numbers, address, identity card numbers, photos, medical records, and employment records.
  2. Data User
    • As defined in PDPO, “Data User” refers to a person (either alone or jointly or in common with others) who manages the data collection, data holding, data processing, or use of the data.
    • The Data User, at the same time, remains liable as the principal for the unlawful act of its authorised data processor.
  3. Data Subject
    Concerning the personal data, Data Subject refers to the individual who is the subject of the data.
  4. Data Controller
    Data Controller, as defined in PDPO, has the same meaning as Data User.


Key Principles under PDPO: Six Data Protection Principles

Data User, who is responsible for data handling, has to comply with the Six Data Protection Principles (“DPPs”). As the name suggests, the DPPs are the fundamental of the ordinance that stipulates the key principles of data privacy and data protection.

DPP1 – Data Collection Principle

  • PDPO stipulates that the collection of personal data must be done lawfully and fairy, with a purpose that relates directly to a function or activity of the data user.
  • Concerning the data subject, the data subject must be kept informed of the purpose and the classes of persons to whom the data may be transferred.
  • The collection of data should be done on the ground of such that data collected is relevant, not excessive, and necessary.

DPP2 – Accuracy & Retention Principle

This principle outlines that necessary and actionable steps shall be taken to ensure the accuracy of personal data where the data should not be kept longer than is necessary to fulfil the purpose for which it is used.

DPP3 – Data Use Principle

DPP3 stipulates that any personal data collected must be used for the purpose as in the purpose of data collection (or for a directly related purpose), unless voluntary and explicit consent with a new purpose is granted by the data subject (explicit consent refers to direct consent of an individual – the said individual has been presented with an informed option to agree or disagree with the data collection, data usage, or data disclosure).

DPP4 – Data Security Principle

A data user has to take actionable and precautionary measures to safeguard personal data from unauthorised or unwanted access, processing, deletion, loss, or use.

DPP5 – Openness Principle

This principle stipulates that a data user must take the actionable step to ensure the public knows the personal data policies and practices regarding the types of personal data it holds and how the data is used.

DPP6 – Data Access & Correction Principle

Under this umbrella, a data subject must be granted access to his or her data where he or she is allowed to amend the data if it is found inaccurate.


Offences and Compensation

While non-compliance with Data Protection Principles does not tantamount to a criminal offence, data user might receive Enforcement Notice from the Commissioner to remedy the contravention and/ or initiate the prosecution action.

According to the Ordinance, any the following incidences are considered as a criminal offence:

  • Part VI – misuse or inappropriate use of personal data in direct marketing activities
  • Section 19 – non-compliance with Data Access Request
  • Section 64 – unauthorised data disclosure that was obtained without the consent of data user.

An individual, who suffers damage (which include but not limited to injured feelings) because of a contravention of the Ordinance in relation to his or her personal data, can seek compensation from the data user concerned. Please also note that the contravention of an enforcement notice is an offence in Hong Kong that would slap the offender with a maximum fine of HK$50,000 and 2-year imprisonment.

Hong Kong’s Data Privacy Law



According to the Ordinance, there are certain exemptions for a specific type/usage of data:

  • Personal data held for domestic or recreational purposes ;
  • Data access requirement for employment purpose – certain employment-related personal data and relevant process;
  • Data access and data usage for data which are required in legal proceedings;
  • Data held for the purpose of tax assessment; and
  • Data held and used by the Hong Kong government to govern the security, defence and the international relations of the country.