New Report on Limits of “Consent” in Hong Kong’s Data Protection Law
Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI) – as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific” – are publishing the third in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Hong Kong, a Special Administrative Region (SAR) of the People’s Republic of China, which has its own data protection law, the Personal Data (Privacy) Ordinance (PDPO). The report covers:
- notice and consent requirements for processing personal data in Hong Kong’s data protection law;
- the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
- statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in relevant laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Hong Kong’s Data Protection Landscape
The PDPO – which was passed in 1995 and took effect (except for certain provisions) in 1996 – is one of the most long-standing data protection laws in both APAC and globally.
The purpose of the PDPO is to protect the privacy of individuals in relation to their personal data. The main way in which the PDPO protects such data is by giving legal effect to the six “Data Protection Principles” (DPPs) in Schedule 1 of the PDPO, which cover:
- the purpose and manner of personal data collection;
- accuracy and duration of data retention;
- use of personal data;
- security of personal data;
- openness and transparency around personal data practices; and
- access to and correction of personal data.
This kind of “principles-based” data protection law is also seen in the data protection laws of Australia and New Zealand, which all draw on principles from the OECD’s 1980 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, including collection limitation, data quality, purpose specification, use limitation, security, openness, and individual participation.
The PDPO’s principles are supplemented by other provisions of the PDPO which provide further protection for personal data in specific contexts. Specifically, substantial amendments to the PDPO in 2012 added, among others, a new Part 6A to the PDPO which governs processing of personal data for direct marketing and imposes strict penalties, including fines or imprisonment, on organizations that fail to obtain consent to use or disclose personal data for direct marketing purposes. Further amendments to the PDPO in 2021 added new provisions to the PDPO to combat “doxing” (i.e., publishing private personal information online to, among others, harass, harm, or damage the property of a person). These included new criminal offenses and powers to investigate and prosecute acts of doing.
The PDPO also establishes the Privacy Commissioner for Personal Data (PCPD) – an independent data protection authority which serves advisory and enforcement functions with regard to the PDPO. In its advisory role, the PCPD is tasked with, among others, promoting public awareness and understanding of the PDPO. To that end, the PCPD has issued a number of guidelines on application of the PDPO’s requirements to specific situations or sectors. In its enforcement role, the PCPD is empowered to investigate possible contraventions of the PDPO and issue recommendations or enforcement notices directing an organization to take remedial or protective actions. PCPD is also empowered to investigate and prosecute criminal offenses under the PDPO.
Role and Status of Consent
The PDPO’s data protection framework is based primarily on notification rather than consent.
Generally, before an organization may collect personal data from a data subject, DPP 1 requires that the organization must take all practical steps to ensure that the data subject is explicitly informed of:
- the purpose for which the data will be used,
- any parties to whom the data may be transferred,
- whether it is obligatory or voluntary for the data subject to provide the data.
An organization that has provided a valid notification may use or disclose personal data collected from the data subject for the purpose stated in the notification or a purpose that is reasonably related to it without the need to obtain consent.
Consent plays a secondary role in the PDPO. DPP 3 requires an organization to obtain express opt-in consent from the data subject if the organization wishes to use personal data for a different purpose from the one stated in the notification.
Additionally, if the organization intends to use or disclose the data subject’s personal data for direct marketing purposes, Part 6A of the PDPO requires the organization to notify the data subject of its intention and provide certain prescribed information. The data subject must then give consent. However, for direct marketing purposes, it is sufficient if data subjects minimally do not opt out of use or disclosure of their data for direct marketing.
Non compliance with the above requirements may be a criminal offense under the PDPO, which is punishable with a fine or even imprisonment.
However, the PDPO provides numerous exceptions to the consent requirement in DPP 3. An organization may not need to obtain consent to use or disclose personal data for a new purpose if that purpose includes, among others, preventing or detecting a crime, engaging in legal proceedings, preparing research and statistics, or responding to an emergency involving the data subject.
Read the previous reports in the series: