Among Asia’s longest-running data protection laws, the Personal Data (Privacy) Ordinance in Hong Kong (PDPO) was first passed in 1996 and took effect on 20 December of that year. Its six privacy principles establish individual rights and impose specific obligations on data controllers. The Office of the Privacy Commissioner for Personal Data oversees the enforcement of PDPO. Those who breach the law may face fines of up to HKD 100,000 or imprisonment for two years.
The PDPO applies to “data users” who alone or jointly control the collection, holding, processing or use of personal information, including websites. Its scope is divided into three categories: personal, territorial and material. The personal scope covers any data that identifies a living person, while the territorial scope refers to any collected or held data that is processed in Hong Kong. The material scope covers any information that is considered personal.
In general, a data user must inform data subjects of the purpose for which personal data is being collected. They must also inform data subjects of their right to object to the use of their data for direct marketing and provide details of a contact channel through which the data subject can express his or her objection. Furthermore, the PDPO states that it is against the law to transfer data outside of Hong Kong without explicit consent from the data subject.
The PDPO defines personal data as any data that can identify a living individual. This includes personal information such as name, address, telephone number and email address as well as data that identifies a particular computer or other device. It also extends to information such as IP addresses and website cookies, provided that it can be linked to a living individual. The PDPO further stipulates that data that is no longer needed for the purposes for which it was collected should be destroyed. However, in practice, such destruction is often not possible.
Consent is a key aspect of most data privacy laws and the PDPO is no exception. In fact, the PDPO requires data users to obtain a “prescribed consent” from the data subject before collecting their personal data. Such consent must be clearly expressed and voluntarily given. It must also be revocable at any time. For children, a parent or guardian can give the prescribed consent on behalf of the child.
In addition to the above, the PDPO also stipulates that data users must make it clear how their data will be used and to whom it will be transferred. This is usually accomplished through the provision of a Personal Information Collection Statement. The PDPO further requires that the data user notify of any change to this policy within 30 days of such a change occurring. This requirement is an important part of data user obligations and is designed to ensure that the information that they collect is being used in accordance with the PDPO.