Last review date: 31 December 2024
The Privacy Commissioner for Personal Data (PCPD) is the dedicated data privacy regulator in Hong Kong.
There is no specific regulator for non-personal data given there are no general non-personal data laws or regulations in Hong Kong (other than trade secrets and other confidential information, which are protected by common law and contract law).
The Cyber Security and Technology Crime Bureau of the Hong Kong Police Force (HKPF) is also a key enforcement authority responsible for handling cybersecurity crime issues. However, under the CI Bill, the CI Commissioner and Designated Authorities will be the main cybersecurity regulators.
Last review date: 31 December 2024
Very active (PCPD and HKPF)
Last review date: 31 December 2024
We expect that combatting "doxxing" will continue to be a top priority of the PCPD and the HKPF. This would involve the PCPD carrying out criminal investigations, instituting prosecutions, and issuing cessation notices.
It is common for the PCPD to take enforcement action upon receipt of a complaint, and depending on the nature and severity of the case, may provide conciliation between the parties, conduct an investigation or even refer the case to the HKPF for serious cases involving, for example, direct marketing or non-compliance with data access/correction requests. We expect the PCPD to continue with this course of enforcement direction.
In addition, there have been a number of high-profile and/or large-scale data breach incidents in recent years. While there are currently no mandatory breach reporting obligations under the PDPO, the PCPD has issued an updated Guidance on Data Breach Handling and Data Breach Notifications in June 2023, which places increased emphasis on data breach notification. We expect the PCPD to continue to focus on the data users' obligations with respect to the security of personal data.
As we do not expect the CI Bill to take effect until 2026 – 2027, it is unlikely that we will see any enforcement action from the CI Commissioner and Designated Authorities in the coming 12 months.
Last review date: 31 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
- Staying the same
Class actions/group actions under data or cyber regulation are:
- Not available in the jurisdiction
Last review date: 31 December 2024
Administrative remedies / civil penalties applied by regulators and law enforcement
The PDPO is a principle-based law and contains six Data Protection Principles (DPPs) that data users are required to comply with.
Whilst contravening the DPPs does not directly constitute a criminal offence, it may lead to an investigation by the PCPD. Where an investigation determines that there has been a contravention, the PCPD has the power to issue an enforcement notice to the data user to direct the data user to remedy or prevent the recurrence of the contravention.
Criminal penalties from regulators and law enforcement
Non-compliance with an enforcement notice issued by the PCPD is a criminal offense. On first conviction, the data user would be liable for a maximum fine of HKD 50,000 (approximately USD 6,400) and imprisonment for two years. If the offense continues after the conviction, an additional daily fine of HKD 1,000 (approximately USD 130) will be imposed for each day that the offense continues. On a second or subsequent conviction, the data user would be liable for a maximum fine of HKD 100,000 (approximately USD 12,800) and imprisonment for two years. If the offense continues after the conviction, an additional daily fine of HKD 2,000 (approximately USD 260) will be imposed for each day that the offense continues.
Non-compliance with direct marketing requirements is punishable by a maximum fine of HKD 1 million (approximately USD 128,000) and five years' imprisonment (where personal data is transferred for direct marketing purposes for gain).
A person who commits an offense under the "anti-doxxing" provisions is liable on conviction to a maximum penalty of a fine of HKD one million (approximately USD 128,000) and imprisonment for five years.
Non-compliance with a cessation notice served by the PCPD pursuant to the "anti-doxxing" provisions is a criminal offense. On first conviction, the maximum penalty is a fine of HKD 50,000 (approximately USD 6,400) and imprisonment for two years, and in the case of a continuing offense, a further fine of HKD 1,000 (approximately USD 130) for every day during which the offense continues. On each subsequent conviction, the maximum penalty is a fine of HKD 100,000 (approximately USD 12,800) and imprisonment for two years, and in the case of a continuing offense, a further fine of HKD 2,000 (approximately USD 260) for every day during which the offense continues.
Non-compliance with statutory obligations under the CI Bill or written directions issued/investigative or information requests made by the CI Commissioner and/or the Designated Authorities constitute criminal offenses punishable by fines, with maximum fines imposed on organizations ranging from HKD 500,000 to HKD 5 million as well as daily fines for continuing offenses.
Private remedies
Individuals can file complaints with the PCPD and can also institute civil proceedings against a data user to seek compensation where the individual has suffered damage by reason of contravention of a PDPO requirement.