Data Privacy Compliance in Hong Kong: A Guide to the PDPO

Data privacy compliance is a growing priority for businesses operating in Hong Kong. The Personal Data (Privacy) Ordinance (PDPO) (Cap. 486) governs the collection, use, and handling of personal data in Hong Kong and applies to virtually all businesses, regardless of size or sector. In recent years, the Office of the Privacy Commissioner for Personal Data (PCPD) has increased its enforcement activity, and amendments to the PDPO in 2021 significantly expanded the Ordinance's scope and enforcement powers. For businesses that collect, use, or share personal data — which is to say, essentially all businesses — understanding and complying with the PDPO is a legal and operational necessity.

This guide sets out the key obligations under the PDPO, the amendments made in 2021, and what businesses need to do to achieve and maintain compliance.

What Is Personal Data Under the PDPO?

"Personal data" is defined in the PDPO as any data relating directly or indirectly to a living individual from which it is reasonably practicable to ascertain the individual's identity, and in a form from which access to or processing of the data is reasonably practicable. This definition is broad and includes names, contact details, identification numbers, financial information, employment records, location data, IP addresses, cookie identifiers, and biometric data, among others.

The PDPO does not apply to data about deceased persons or corporations (only living individuals), and it does not apply to data held for purely personal or domestic purposes. However, it applies to virtually all commercial and professional data handling.

The Six Data Protection Principles (DPPs)

The core obligations under the PDPO are set out in the six Data Protection Principles (DPPs), which govern every stage of the personal data lifecycle:

DPP1 – Purpose and Manner of Collection: Personal data must be collected for a lawful purpose directly related to a function or activity of the data user. The collection must be necessary for or directly related to that purpose, and the data must be adequate but not excessive. The data subject must be informed of the purpose of collection and the classes of persons to whom the data may be transferred.

DPP2 – Accuracy and Retention: Personal data must be accurate, and practicable steps must be taken to ensure it is not retained longer than is necessary for the purpose for which it was collected. Data users should implement retention policies and procedures for the destruction or anonymisation of data no longer needed.

DPP3 – Use of Personal Data: Personal data must not be used for a purpose other than the purpose for which it was collected, or a directly related purpose, without the express (voluntary and informed) consent of the data subject. This principle is particularly important for marketing, profiling, and data sharing activities.

DPP4 – Security of Personal Data: Practicable steps must be taken to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. Security measures must be appropriate to the nature and form of the data. This principle underpins data breach prevention and response obligations.

DPP5 – Openness and Transparency: Data users must make available, on request, information about what types of personal data they hold, the main purposes for which they hold it, and their policies on the handling of personal data. A privacy policy (published on the data user's website or otherwise made available) is the primary mechanism for satisfying DPP5.

DPP6 – Access and Correction: Data subjects have the right to access personal data held about them and to request correction of inaccurate data. Data access requests (DARs) must be responded to within 40 days of receipt. Data users cannot impose conditions on, charge excessive fees for, or refuse access to personal data without a lawful basis.

The Personal Information Collection Statement (PICS)

When collecting personal data from a data subject, the PDPO requires the data user to notify the individual, at or before the time of collection, of specific information including: the purpose for which the data is to be used; the classes of persons to whom the data may be transferred; whether the data subject is obliged or voluntary to supply the data, and the consequences of not doing so; and the data subject's right to access and correct the data. This notification is known as a Personal Information Collection Statement (PICS).

A PICS must be provided whenever personal data is collected from the individual directly — for example, in job applications, customer registration forms, subscription forms, e-commerce checkout processes, and survey forms. In digital contexts, the PICS is typically incorporated into the privacy policy or presented as a separate notice at the point of data collection. The PICS must be clear, specific, and legible — a generic, lengthy privacy policy written in fine print does not satisfy the PICS requirement if it is not practically accessible at the point of collection.

Direct Marketing

The PDPO imposes specific rules on the use of personal data for direct marketing. A data user may not use personal data for direct marketing (or transfer it to another party for use in direct marketing) without the explicit and unambiguous consent of the data subject. "Direct marketing" includes electronic messages (email, SMS, push notifications), telephone calls, postal marketing, and any other means of directly soliciting sales or promoting products or services.

Where a data user wishes to use personal data for direct marketing, it must: inform the data subject of the intention to use the data for direct marketing, and invite the data subject to provide an opt-in consent; specify the classes of data to be used and the class of goods or services to be marketed; and provide a free and convenient opt-out mechanism. Consent must be positive — pre-ticked boxes or passive inaction do not constitute valid consent. The data subject has the right to opt out at any time without charge.

Contravention of the direct marketing provisions is a criminal offence. The PCPD has taken enforcement action against businesses for systematic non-compliance with direct marketing rules.

Cross-Border Transfer of Personal Data

The PDPO restricts the transfer of personal data to places outside Hong Kong, but this restriction applies only in limited circumstances. Under DPP3, personal data transferred to a location outside Hong Kong must not be used (in the hands of the recipient) for a purpose other than the purpose for which it was collected in Hong Kong. In practice, this means that data transfer agreements (also known as data processing agreements or data transfer agreements) between the Hong Kong data user and the overseas recipient are advisable, to ensure that the recipient's use of the data is consistent with the PDPO requirements.

The PCPD has issued recommendations on cross-border data transfer, including guidance on the use of data transfer agreements and the circumstances in which further safeguards (such as adequacy assessments of the recipient jurisdiction's data protection regime) are appropriate. Businesses that regularly transfer personal data to overseas group entities, service providers, or cloud platforms should ensure they have appropriate contractual arrangements in place.

The 2021 Amendments: Doxxing and Enhanced Enforcement

Significant amendments to the PDPO came into effect on 8 October 2021. The most notable changes were:

Doxxing offences: New criminal offences were created for "doxxing" — disclosing personal data of a person without that person's consent, with an intent to cause harm or harassment to the data subject or any family member. Doxxing offences carry maximum penalties of a fine of HK$1,000,000 and imprisonment for 5 years. The PCPD has new investigation and enforcement powers specifically in relation to doxxing, including the power to issue cessation notices to online platforms and service providers requiring them to remove doxxing content.

Enhanced enforcement powers: The PCPD was given expanded powers to conduct investigations on its own initiative (without a formal complaint from a data subject). This means businesses can be investigated for PDPO compliance even if no individual has complained about them.

Increased penalties: Penalties for certain PDPO offences were increased. Repeat contraventions of enforcement notices now carry higher fines and a maximum imprisonment term of 2 years.

Data Breach Response

Although the PDPO does not currently impose a mandatory data breach notification obligation (unlike GDPR in the European Union), the PCPD has issued guidance strongly recommending that organisations notify affected data subjects promptly when a data breach occurs that creates a real risk of harm. The PCPD has also indicated its support for introducing a mandatory breach notification requirement in future amendments to the PDPO.

In the event of a data breach, businesses should: contain the breach (stopping the leakage or unauthorised access as quickly as possible); assess the risk of harm to affected data subjects; notify the PCPD and affected individuals if the breach creates a real risk of harm; and review and remediate the security failure that caused the breach. A documented incident response plan, prepared before a breach occurs, is an essential component of a mature data privacy compliance programme.

Practical Compliance Steps for Businesses

Achieving PDPO compliance requires both documentation and operational practice. Key steps include: conducting a data audit to map what personal data is collected, for what purposes, where it is stored, and to whom it is transferred; reviewing and updating privacy policies and PICS to ensure they are accurate, specific, and accessible; implementing appropriate technical and organisational security measures; establishing procedures for handling DARs within the statutory 40-day timeframe; reviewing direct marketing practices for compliance with the opt-in requirements; putting data transfer agreements in place for overseas data transfers; and training all staff who handle personal data on their PDPO obligations.

For larger organisations, appointing a dedicated Data Protection Officer (DPO) or equivalent is good practice and is a recommendation of the PCPD, even though a mandatory DPO requirement has not yet been introduced under the PDPO.

How Alan Wong LLP Can Help

Alan Wong LLP advises businesses on all aspects of PDPO compliance, including: conducting data privacy audits and gap analyses; drafting and reviewing privacy policies, PICS, and data transfer agreements; advising on cross-border data transfer arrangements; responding to PCPD investigations and enforcement notices; advising on direct marketing compliance; and advising on data breach response and notification. We work with businesses across a range of sectors — including financial services, technology, healthcare, and professional services — to build practical, proportionate data privacy compliance programmes that protect both the business and its customers.