|OVERVIEW||Well-developed privacy laws. Active privacy commissioner; however, limited authority and limited basis for privacy enforcement.|
|GENERAL PRIVACY LAWS||
Article 29 of the Basic Law establishes the basic principle that homes of Hong Kong citizens are “inviolable.”
Article 30 of the Basic Law established the basic principle that the freedom and privacy of communication of Hong Kong residents is protected by law. No one shall infringe on the rights and freedom of privacy in communication except in accordance with legal requirements for protection of public security and the investigation of criminal offenses.
|PERSONAL DATA PROTECTION LAWS AND REGULATIONS||
Personal Data (Privacy) Ordinance (“PDPO”) came into effect in 1996, with the exception of the provisions concerning the transfer of data outside of Hong Kong and data matching.
PDPO adopted six fair information practices to regulate notice, collection, accuracy, use, security and access regarding personal data which is defined as “any representation of information (including an expression of opinion) in any document, and includes a personal identifier.” The ordinance applies to public and private “data users” and to manual and electronic records.
|TYPE OF DATA PROTECTED||Personal Information.|
|WORKPLACE PRIVACY LAWS||
The Privacy Guidelines: Monitoring and Personal Data Privacy at Work provide guidance for assessing whether employee monitoring is appropriate and to determine how employers can develop privacy compliant practices in the management of personal data obtained form employee monitoring.
The Office of the Privacy Commissioner initially planned on releasing a statutory code of practice. However, strong opposition to the draft by employers made the PCO proceed with non-binding guidelines.
The Guidelines verify that the PDPO applies to employee monitoring activities whereby personal data of employees is collected in recorded form.
Guidelines seek to offer practical guidance on the steps that should be taken by employers when they monitor employees using the following methods: telephone monitoring, Internet monitoring, video monitoring, and email monitoring.
Guidelines recognize that an employer has the right to direct employees’ work activities and to reasonably monitor such activities; however, monitoring should be balanced against the employees’ right to privacy.
Guidelines provide that monitoring should take into account the following:
Employers are liable for the provisions of the PDPO for the proper management of personal data collected while conducting employee monitoring. The legal obligation extends to acts and practices undertaken by a third party acting on behalf of the employer.
Employers should be aware that their employee monitoring practices may be subject to investigation by the Commissioner in any alleged breach of the PDPO. Investigation would ask employer to provide evidence of the following:
Section 33 of the Ordinance prohibits the transfer of personal data to places outside of Hong Kong unless one of a number of conditions is met. Section 33 covers two situations, namely transfers from Hong Kong to a place outside Hong Kong and transfers between two other jurisdictions where the transfer is controlled by a Hong Kong data user. The place to which the data are transferred has in force "any law which is substantially similar to, or serves the same purposes as, this Ordinance".
The Privacy Commissioner may specify a place satisfying this requirement by publishing notice in Hong Kong's gazette.
The data subject has consented in writing to the transfer.
The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; if it is not practicable to obtain the data subject's consent, but if practicable, such consent would be given.
The data are exempt from the data protection principle 3 by virtue of an exemption under "Part VII-Exemptions" of the Ordinance.
The data user has taken "all reasonable precautions and exercised all due diligence to ensure" that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.
The Commissioner has also prepared a Model Contract for use in transferring personal data out of Hong Kong.
|FINES AND SANCTIONS||
The sanctions for breaches of privacy law in Hong Kong are contained in the Personal Data (Privacy) Ordinance (PDPO). Schedule 1 of the PDPO incorporates six data protection principles (DPPs) to which users of personal data must comply.
Where there is a contravention of a DPP, the Privacy Commissioner can, if it deems appropriate, issue an enforcement notice to the user of the personal data, requiring them to take specific action in order to ensure future compliance with the DPP. Failure to comply with this enforcement notice does constitute a criminal offence which will render the non-compliant party liable to 2 years imprisonment, and a HKD 50 000 fine (USD 6,500). If the offence is of a continuing nature an additional fine of HKD 1000 (USD 130) per day will also apply.
Section 66 of the PDPO provides that an individual who suffers damage, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.
|OTHER PRIVACY LAWS AND REGULATIONS||There are numerous sector-specific laws regulating privacy, secrecy and confidentiality.|