Hong Kong Data Privacy Law: A Business Guide to PDPO Compliance

Introduction: Data Privacy in Hong Kong

Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) has been in force since 1996. It was a pioneering piece of legislation in the Asia-Pacific region, but the explosive growth of digital commerce, cloud computing, and data-driven business models has placed increasing pressure on businesses to rethink how they collect, use, store, and transfer personal data.

The PDPO was significantly amended in 2021 to introduce a mandatory data breach notification regime (effective September 2024), strengthen provisions against doxxing, and expand the enforcement powers of the Office of the Privacy Commissioner for Personal Data (PCPD). These changes, combined with a notable uptick in PCPD investigations and enforcement actions, make PDPO compliance a business-critical priority.

What Is Personal Data Under the PDPO?

The PDPO defines “personal data” as any data: (a) relating directly or indirectly to a living individual; (b) from which the individual can be directly or indirectly identified; and (c) in a form in which access to or processing of the data is practicable.

This is a broad definition. It covers names, HKID numbers, passport numbers, email addresses, phone numbers, IP addresses, biometric data, CCTV footage, employee records, customer transaction data, and any other data that can be linked to an identifiable individual. Anonymised data — data from which all identifying information has been irreversibly removed — falls outside the definition.

The Six Data Protection Principles (DPPs)

The PDPO establishes six Data Protection Principles (DPPs) which data users — businesses and individuals who control the collection, holding, processing, or use of personal data — must comply with.

DPP 1: Purpose and Manner of Collection

Personal data may only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected must be adequate but not excessive for that purpose. The data subject must be informed, on or before collection, of: the purposes for which the data will be used, the classes of persons to whom the data may be transferred, whether the provision of the data is obligatory or voluntary, and the consequences of failing to supply it. This is the purpose and notification requirement.

DPP 2: Accuracy and Retention

Data users must take all practicable steps to ensure that personal data is accurate and, where necessary, updated. Data should not be retained longer than is necessary for the fulfilment of the purpose for which it was collected. A retention policy — specifying how long different categories of data are retained and the basis for that retention period — is a key compliance document.

DPP 3: Use of Personal Data

Personal data may only be used for the purpose for which it was collected, or a directly related purpose, without the voluntary and explicit consent of the data subject. This is the “use limitation” principle and is frequently engaged when businesses wish to use customer data collected for service delivery purposes for marketing or secondary analytics.

DPP 4: Security of Personal Data

Data users must take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. This DPP requires businesses to implement technical and organisational security measures proportionate to the nature and sensitivity of the data held. Relevant measures include encryption, access controls, regular penetration testing, employee security training, and incident response procedures.

DPP 5: Openness

Data users must make available to the public, in general terms, the kinds of personal data held, the main purposes for which the data is held, and the policies and practices regarding personal data. This is typically satisfied through a Privacy Policy Statement published on the business's website.

DPP 6: Access and Correction

Data subjects have the right to request access to their personal data held by a data user (a Data Access Request or DAR) and to request correction of inaccurate data (a Data Correction Request or DCR). Data users must respond to a DAR within 40 days. The maximum fee chargeable for a DAR is currently HK$100. Refusal to comply with a valid DAR is an offence.

Personal Information Collection Statement (PICS)

A PICS is the notice required to be given to data subjects at or before the point of data collection, satisfying the notification requirements of DPP 1(3). A well-drafted PICS specifies: the types of personal data being collected, the purpose(s) for collection and use, the classes of persons to whom the data may be transferred (including overseas recipients), whether provision is obligatory or voluntary, and the data subject's access and correction rights.

The PICS should be provided in the language used to communicate with the data subject (Chinese and English for Hong Kong businesses with a mixed customer base). It must be intelligible and written in plain language — not buried in legal boilerplate.

Direct Marketing

The PDPO contains specific provisions governing the use of personal data for direct marketing — defined as offering goods, services, facilities, or land, or inviting persons to subscribe, donate, or participate in any activity, through direct communication. Key requirements:

• Before using personal data for direct marketing, the data user must inform the data subject of: the intended use, the classes of data to be used, and the data subject's right to opt out.
• The data subject must indicate (in writing or via another specified channel) that they do not object to the use before the data user may proceed.
• Data subjects can opt out at any time, and opt-out requests must be actioned within a reasonable time.
• Selling, providing, or transferring personal data for another party's direct marketing use requires explicit consent.

Non-compliance with direct marketing provisions is a criminal offence, and fines can be significant for systematic violations.

Cross-Border Data Transfers

Section 33 of the PDPO restricts the transfer of personal data to a place outside Hong Kong unless adequate protection is ensured. Although Section 33 has been enacted since 1996, it has historically not been brought into force. The PCPD has indicated that it may be activated in the future and has issued recommended model clauses for voluntary adoption.

In practice, businesses with cross-border data flows should: document the jurisdictions to which personal data is transferred, assess the adequacy of the data protection regime in the destination jurisdiction, and consider implementing data transfer agreements (DTAs) incorporating the PCPD's recommended model clauses. Businesses operating under GDPR (for European operations or European data subjects) should also ensure their Hong Kong data practices are consistent with GDPR requirements where applicable.

Mandatory Data Breach Notification (Effective September 2024)

The 2021 amendments introduced mandatory data breach notification. Where a data breach occurs (i.e., unauthorised access, collection, use, disclosure, loss, or disposal of personal data) that is likely to result in real risk of significant harm to the affected data subjects, the data user must notify the PCPD and the affected data subjects as soon as reasonably practicable.

The notification to the PCPD must include: a description of the breach, the categories and approximate numbers of personal data and data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.

Failure to notify is a civil contravention rather than a criminal offence (at least for a first violation), but the PCPD has significant powers to investigate, issue enforcement notices, and impose financial penalties.

PCPD Enforcement Powers

The PCPD can investigate complaints and initiate its own investigations. Following an investigation, the PCPD may issue an Enforcement Notice requiring a data user to remedy a contravention. Non-compliance with an Enforcement Notice is a criminal offence attracting a fine of up to HK$50,000 and imprisonment for up to 2 years.

For direct marketing offences and doxxing offences, the PCPD can refer matters directly to the Police for prosecution. Doxxing offences — disclosing personal data with intent to intimidate, harass, or cause harm to others — carry penalties of up to HK$1 million and 5 years imprisonment.

Practical Compliance Steps

• Data audit: Map the personal data your business collects, the purposes of collection, how it flows through your systems, and where it is stored. This is the foundation of any compliance programme.
• Update your PICS and Privacy Policy: Ensure they accurately reflect your data practices, are written in plain language, and are easily accessible to data subjects.
• Review direct marketing practices: Ensure opt-in/opt-out mechanisms are properly implemented and that lists are regularly cleansed of opt-outs.
• Implement a data retention and disposal policy: Specify retention periods for each category of data and ensure secure disposal when data is no longer needed.
• Build a data breach response plan: Designate a breach response team, establish notification procedures, and conduct tabletop exercises. With mandatory notification now in force, response time matters.
• Train staff: Regular training on data privacy obligations reduces the risk of inadvertent violations and demonstrates a culture of compliance.
• Conduct due diligence on data processors: Where personal data is processed by third-party service providers (cloud vendors, IT outsourcers, marketing agencies), ensure contractual arrangements include appropriate data protection obligations.

Conclusion

PDPO compliance is not a one-off exercise but an ongoing programme. With the PCPD's enforcement posture becoming increasingly assertive, and with mandatory data breach notification now law, businesses that have not yet invested in a structured compliance programme face real regulatory and reputational risk.

The good news is that PDPO compliance need not be burdensome for smaller businesses: a well-drafted PICS, a clear Privacy Policy, a sensible data retention schedule, and a basic incident response plan go a long way towards satisfying the core requirements.

Alan Wong LLP advises businesses on data privacy compliance, PDPO obligations, and regulatory investigations in Hong Kong. Contact us to assess your data privacy posture.