Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Hong Kong Personal Data (Privacy)Ordinance Amendment Prompts Reviews of Data Protection Policies and Practices

This entry was drafted by Gabriela Kennedy, Partner, Hogan Lovells, Hong Kong  and Heidi Gleeson, Registered Foreign lawyer, Hogan Lovells, Hong Kong.

The Hong Kong Personal Data (Privacy) Amendment Ordinance was passed on 27 June 2012. This ends a nearly three year process initially spurred by the need to bring the existing legislation in line with technological and other advancements that occurred since it was enacted in 1996.

Some of the provisions of the Amendment Ordinance will come into effect on 1 October 2012.  A number will come into effect at a later date. These include provisions relating to use/transfer/sale of personal data for direct marketing purposes and the legal assistance scheme provided by the Commissioner, all of which are expected to be implemented in the first half of 2013. 

Some of the major changes include the introduction of:  

·       new requirements relating to the use, transfer or sale of personal data for direct marketing (including requirements relating to notification and consent) (maximum penalties: HK$ 500,000 fine and 3 years’ imprisonment (provisions relating to use/transfer of data for marketing) and HK$ 1 million fine and 5 years’ imprisonment (provisions relating to sale of data). Data users do not have to comply with the new direct marketing requirements if they use personal data collected prior to the commencement date of the such provisions (which date is yet to be confirmed), provided that a number of conditions are fulfilled. This grandfathering arrangement only applies to use of personal data for a data user’s own purposes and does not extend to the transfer/sale of data for direct marketing.  

·       provisions empowering the Privacy Commissioner to issue an enforcement notice, irrespective of whether a breach is likely to continue or be repeated.

·       various new offences (e.g. (i) repeated non-compliance with an enforcement notice; (ii) complying with an enforcement notice but later committing the same contravening act/omission; (iii) disclosure of personal data obtained from a data user without the data user’s consent for certain malicious purposes; (iv) failure to comply with a notice of the Commissioner in relation to a data user return/providing false or misleading material in response to such notice; and (v) misuse of personal data supplied as part of a due diligence exercise) (maximum penalties ranging from: fines between HK$ 10,000 and HK$ 1 million and imprisonment of between 6 months and 5 years).

·       new exemptions for certain provisions of the legislation (e.g. (i) where disclosure is made pursuant to law or court order, or in connection with legal proceedings or defending legal rights; and (ii) where personal data is transferred in connection with a due diligence exercise for an M&A transaction in certain circumstances).

·       requirements for data users to use contractual and other means to ensure that personal data is not mishandled by data processors (data processors are not directly regulated under the Amendment Ordinance).

·       provisions empowering the Privacy Commissioner to provide legal assistance to aggrieved data subjects seeking compensation from data users (e.g. providing advice and arranging for legal representation).


The Amendment Ordinance may be accessed here.


For a more detailed discussion of the key changes please see our Newsflash, available here.