Last review date: 31 December 2024

PDPO

Pursuant to a 2020 decision of the Administrative Appeals Board (AAB), the AAB determined that the scope/territorial jurisdiction of the PDPO covers "only persons being data user who has operations controlled in or from Hong Kong." The AAB took into account the fact that the PCPD has difficulty in taking enforcement action against a foreign entity, as it will be frivolous for the PCPD to serve any enforcement notice on foreign entities that have no operations in Hong Kong. As such, the PDPO does not generally have extra-territorial effect.

However, the anti-doxxing provisions under the amended PDPO empowers the PCPD to serve cessation notices on service providers, requesting the removal of doxxing messages. Such notices may be served on non-Hong Kong service providers. Therefore, cessation notices served on non-Hong Kong service providers do have extra-territorial effect. Save for the above, the other provisions of the PDPO continue to operate without extra-territorial effect.

CI Bill

The Government has clarified that the CI Bill will not have extraterritorial effect, as it does not purport to exercise long-arm enforcement jurisdiction over places outside Hong Kong. However, the first draft of the CI Bill states that CIOs are required to produce documents in their possession, under their control, or otherwise accessible by them in or from Hong Kong, which may potentially include documents stored outside Hong Kong if the same are under the CIOs’ control. Further, a regulating authority may designate a computer system as a CCS, whether under the control of the operator or not, that is accessible by the operator in or from Hong Kong – in other words, a computer system does not need to be physically located in Hong Kong for it to be eligible to be designated as a CCS.