The Ordinance is enforced by the Office of the Privacy Commissioner for Personal Data ("PCPD"), an independent statutory body.
In 2012, the Ordinance was substantially reviewed and two major amendments introduced which strengthened direct marketing regulations and introduced criminal offences. Since then, a data user is liable to a fine of up to HK$500,000 and up to 3 years' imprisonment if they did not obtain an individual’s consent before using their personal data for direct marketing. The penalties can increase to HK$1,000,000 and 5 years’ imprisonment if the data is provided to a third party without consent.
PCPD also works to publicise stakeholder engagement and public awareness on the protection of personal data. For example, in February 2014, a Privacy Management Programme was launched to encourage and provide guidelines to corporate data users to embrace personal data privacy protection as part of their corporate governance responsibilities. Since 2015, PCPD has also produced a number of TV announcements as well as educational videos and many print publications to raise the public’s awareness of protecting personal data, particularly online.
During the recent elections of the new Legislative Council and the next Chief Executive of the Hong Kong SAR Government, PCPD repeatedly issued statements to electoral polling organizations that gauge public views to clarify concerns over suspected data leakages. One poll was discontinued, at the request of PCPD, for contravening the Data Protection Principles under the Ordinance. (Please see here for PCPD's full statement.) Shortly after the Chief Executive Election in March 2017, PCPD also instigated an investigation into a reported loss by the Registration and Electoral Office of two notebook computers which contained personal data of registered voters of the election.
As well as working overseeing local personal data protection, PCPD also works in co-operation with overseas counterparts in privacy protection. It is currently conducting a comparative study on the Ordinance and the new European General Data Protection Regulation (“GDPR”) which will replace existing data protection laws throughout the European Union ("EU") and come into force on 25 May 2018. The GDPR will apply worldwide on all EU-established organisations and organisations that are located outside the EU that process EU personal data or monitor individuals within the EU. The maximum fine for a breach of the GDPR will be up to 4 percent of a business’s worldwide turnover or €20 million per infringement, whichever is higher.
Consequently, it will have a significant impact on businesses around the world, irrespective of where they operate. Once the study has been concluded, it is likely the PCPD will enhance Hong Kong SAR’s personal data privacy protection in Hong Kong SAR in conjunction with the new GDPR concepts of data protection such as the right to be forgotten, data portability, accountability and profiling. The extent of the adoption of these principles in the Ordinance is to be determined. It will also be considering the impact of the Internet of Things, Big Data and Artificial Intelligence and how they should be reflected in any future changes in the Ordinance.
At the same time, in the absence of a codified data protection law in China, it may help Hong Kong SAR to serve as the data hub for data transfers between China and the EU so that European companies with businesses in mainland China, and vice versa, can set up data centres in Hong Kong SAR to store personal and operational data in compliance with the GDPR requirements.
We will continue to monitor PCPD activities and will report back once any amendments to the existing Ordinance are tabled.