BDO Local Resources
Ricky Cheng | Email | Phone
Law: Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 ('PDPO')
Regulator(s): The Office of the Privacy Commissioner for Personal Data ('PCPD')
Adequacy Agreement with GDPR: No
The Personal Data (Privacy) Ordinance ('PDPO') was passed in 1995 and took effect from December 1996 (except for specific provisions). It is one of Asia's longest-standing comprehensive data protection laws. It has its origins in the August 1994 Law Reform Commission Report entitled Reform of the Law Relating to the Protection of Personal Data. The reform recommended that Hong Kong introduce a new privacy law based on the OECD Privacy Guidelines 1980 to ensure adequate data protection to retain its status as an international trading center and affect human rights treaty obligations.
In September 2021, the PCPD published frequently asked questions (‘FAQs’) and answers regarding the European Commission’s Standard Contractual Clauses (‘SCCs’) for the transfer of data from the EU to non-EU regions. The FAQs focused on the implementation framework of the new SCCs and third-country party obligations. The PCPD stated, ‘The New SCCs will be relevant to a local entity in Hong Kong if the obligations under the GDPR apply to it as an exporting party on an extra-territorial basis’s.
Data Protection Authority Focus
The PDPO applies to both the private and the public sectors, and it is technology-neutral and principle-based. The Data Protection Principles (‘DPPs’ or ‘DPP’), contained in Schedule 1 to the PDPO, outline how data users should collect, handle and use personal data, complemented by other provisions imposing further compliance requirements.
Principles of PDPO include DPP1 Purpose and Manner of Collection; DPP2 Accuracy and Duration of Retention; DPP3 Use of Data; DPP4 Data Security; DPP5 Openness and Transparency; DPP 6 Access and Correction. Contravention of a DPP is not an offence, and however, contravention of specific provisions of PDPO is an offence.
In September 2021, the Kowloon City Magistrates’ Court convicted an estate agent for violating the PDPO (Cap. 486). The estate agent called a data subject months after he opted out and requested that no further direct marketing calls be made to them. The estate agent received a fine of HK$15,000 (approximately €1,631 or $1,927). While this is a relatively small penalty, individuals need to understand that they are responsible for protecting data subjects' privacy.
Contravention of an enforcement notice issued by the Privacy Commissioner for Personal Data is also an offence that may result in a maximum fine of HK$50,000 and imprisonment for two years.
Subsequent convictions can result in a maximum penalty of HK$100,000 and imprisonment for two years.
 Logon Software & Services, Hong Kong’s Personal Data (Privacy) Ordinance PDPO
 The Office of the Privacy Commissioner for Personal Data, Understanding the European Commission’s New Standard Contractual Clauses for Transfer of Personal Data from EU to Non-EU Regions, September 2021