SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
The collection and processing of personal data in Hong Kong is regulated by the Personal Data (Privacy) Ordinance (the PDPO).
The PDPO is applicable to both the private and the public sectors. In particular, the PDPO outlines six Data Protection Principles, which are contained in Schedule 1 to the PDPO, regarding how data users should collect, handle and use personal data, complemented by other provisions imposing further compliance requirements.
The Office of the Privacy Commissioner for Personal Data (the PCPD) is the regulator responsible for enforcing the PDPO.
With a view to keeping up with international standards and to combat a surge in doxxing activities since 2019, major amendments to the PDPO were recently introduced with the Personal Data (Privacy) (Amendment) Ordinance 2021 coming into effect on 8 October 2021 (the Amendment Ordinance).
Most notably, the Amendment Ordinance:
- criminalises doxxing, by introducing a two-tier doxxing offence. The lower tier offence – disclosing any personal data without the data subject’s consent, with the intention of or being reckless as to the causing of any specified harm to the data subject or their family member. The higher tier offence – disclosing any personal data without the data subject’s consent, with the intention of or being reckless as to the causing of any specified harm to the data subject or their family member and harm is so caused. ‘Specified harm’ means, in relation to a person: (i) harassment, molestation, pestering, threat or intimidation to the person; (ii) bodily harm or psychological harm to the person; (ii) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (iv) damage to the property of the person;
- empowers the PCPD to compel disclosure and assistance from persons in possession of any material relevant to an investigation of a doxxing offence; and
- confers on the PCPD statutory powers to demand the cessation of doxxing conduct. A cessation notice has extra-territorial effect and requires cessation action to be taken within a designated timeframe. It may be served on a person in Hong Kong or a ‘non-Hong Kong service provider’ that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person.
There are currently no restrictions on the cross-border transfer of personal data over and above those in place for transfers of personal data within Hong Kong. A provision has been enacted that would place extra restrictions on cross-border transfers (section 33 of the PDPO), but it has not yet been implemented.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
Providers of banking services – implied duty of confidentiality
A person providing banking services in Hong Kong has an implied duty of confidentiality to its clients under Hong Kong common law. This means that such an entity must not divulge confidential information about its client to any third party, unless the consent of the bank’s client is obtained or an exemption applies. The banker’s duty of confidentiality is considered to be an implied term of the contract between a banker and his or her customer, but it may be modified by express terms.
The duty applies to any information about a client (both natural and legal persons) that a banker acquires in the course of providing banking services.
There is no exhaustive definition of what constitutes banking services and therefore the precise scope of the banker’s duty of confidentiality is unclear. However, examples of banking services that would trigger the confidentiality obligation are:
- keeping current accounts for customers, in which credits and debits are entered;
- accepting money from and collecting cheques for customers and placing them in credit; and
- paying cheques drawn on those accounts and debiting customers accordingly.
These essential characteristics of banking are not exhaustive and transactions that lack these characteristics may still be considered banking. As a result, the banker’s duty of confidentiality may well apply to persons that do not consider themselves to be banks.
Certain exemptions apply to the banker’s duty of confidentiality at common law. These include those situations where:
- the express or implied consent of the client has been obtained;
- there is a duty to the public to disclose such information;
- Hong Kong law or court order compels disclosure; or
- the interests of the bank require disclosure.
In conflict with the banker’s duty of confidentiality and in support of the duty to the public to disclose such confidential information is the principle of open administration of justice. In X v Y  5 HKLRD 823, it was held that only the most exceptional circumstances would justify proceedings being held behind closed doors, and any departure from the principle of open administration of justice should be no more than the minimum that is reasonably necessary to protect the legitimate interests that it is said would justify a private hearing. Thus, in most cases, the duty to the public and principle of open administration of justice would override the banker’s common law duty of confidentiality.
A client can claim damages for breach of confidentiality by a bank. These are usually nominal damages, unless the client has suffered financial loss. Injunctive relief is also available.
The Organized and Serious Crime Ordinance (the OSCO) is one of the major statutory exceptions to the common law duty of confidentiality. A person is required under OSCO to make a disclosure to "authorised officers" (eg, police officers) where that person knows or suspects that any property, among others, in whole or in part directly or indirectly represents the proceeds of an indictable offence. In the context of property passing through a bank account, this may require the disclosure to an authorised officer of account information subject to the banker’s duty of confidentiality.
In addition to the banker’s duty of confidentiality at common law, authorised institutions (AIs) (ie, licensed banks, restricted licence banks, and deposit-taking companies regulated by the Hong Kong Monetary Authority (the HKMA)) are also required to comply with regulatory guidance issued by the HKMA. That guidance includes circulars on customer data protection and a module in the HKMA’s Supervisory Policy Manual regarding outsourcing (SA-2). A detailed analysis of outsourcing laws is beyond the scope of this chapter; however, in summary, where an AI engages in outsourcing, it is expected under SA-2 to: ensure that outsourcing arrangements comply with the relevant requirements (eg, the PDPO and the banker’s duty of confidentiality), have controls in place to ensure that these requirements are observed and proper safeguards are established to protect the integrity and confidentiality of customer information, notify customers of the possibility that their data may be provided to another person as part of an outsourcing arrangement, and ensure that all customer data is destroyed or retrieved (as permitted by law) where an outsourcing arrangement is terminated. AIs should discuss any outsourcing plans with the HKMA in advance and should be prepared to satisfy the HKMA that issues relating to customer data, among others, are properly addressed.
The HKMA has also endorsed the Hong Kong Association of Banks’ Code of Banking Practice, which makes reference to AIs’ obligations under the PDPO and the relevant codes of practice issued by the PCPD, and reminds banks to comply with the relevant requirements.
Breach of the HKMA’s regulatory guidance or the Code of Banking Practice does not, by itself, allow a customer to claim damages. However, it may lead to disciplinary action by the HKMA against the AI concerned, which in extreme cases can include suspension or revocation of the AI’s banking licence.
Persons other than providers of banking services may also be subject to a duty of confidentiality depending on the circumstances. The most common situation in which a duty of confidentiality may arise is where information is received in the course of a relationship that a reasonable person would regard as involving a duty of confidentiality. Such relationships may include agents, trustees, partners, directors, employees and professionals, such as doctors and accountants.
Although not exhaustive, the generally recognised exemptions to this duty of confidentiality, and the consequences of breach of this duty, are the same as those that apply to the banker’s duty of confidentiality, discussed above.
Official Secrets Ordinance
Persons who come into possession of official information relating to security or intelligence services, defence, international relations or criminal investigations are, under certain circumstances, prohibited under the Official Secrets Ordinance from disclosing such information. The Official Secrets Ordinance is unlikely to be relevant to an investigation unless the person being investigated has a relationship with a government that would put that person in a position such that it is likely to receive such information.
National Security Law
Under the Hong Kong National Security Law (the HKNSL), which came into effect on 30 June 2020, it is an offence to unlawfully provide state secrets or intelligence concerning national security to a foreign country or an institution, organisation or individual outside the mainland, Hong Kong and Macao of the People’s Republic of China (article 29). For this purpose, state secrets and intelligence concerning national security are to be defined and determined under PRC law.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP
3. What constitutes personal data for the purposes of data protection laws?
The PDPO defines personal data as any data relating directly or indirectly to a living individual, from which it is ‘practicable’ for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable.
‘Practicable’ is defined as ‘reasonably practicable’. When considering whether data is personal data, the PCPD will consider all relevant data controlled by the party in question. If it is reasonably practicable for that party to ascertain from the totality of such data the identity of the data subject, then the data is personal data and the PDPO applies. It is commonly understood that a person’s name in isolation generally does not constitute personal data.
Personal data protection extends only to natural living persons, not to legal persons such as companies or deceased natural persons.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
The PDPO does not expressly provide for extra-territorial application. It was acknowledged in a previous investigation against Yahoo! Hong Kong Limited that in the absence of such provision, the PDPO does not extend to bind any act committed by a foreign party on foreign soil.
For instance, the territorial principle is illustrated by section 39(1)(d) of the PDPO, concerning the conditions which need to be fulfilled before the Commissioner can exercise her powers of investigation. In essence, the Commissioner must be satisfied that there consists of a territorial link that a complainant is present in Hong Kong, or was at the relevant time a resident of Hong Kong, or some relevant rights had been acquired in Hong Kong that the Commissioner's opinion will be prejudiced by the act or practice complained of.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
Personal data must be processed in accordance with the six Data Protection Principles set out in the PDPO.
- Principle 1 is that personal data must be collected by means that are lawful and fair in the circumstances. All practicable steps must also be taken to ensure the data subject is explicitly or implicitly informed of their rights and obligations. To comply with this principle, the data subject must be given certain information when their personal data is collected. This includes whether it is obligatory to supply the data and any consequences of not supplying the data. The data subject should be explicitly informed of the purpose for which the data is to be used and the classes of person to whom the data will be transferred. This information is usually provided by way of a written notice, which is generally referred to as a Personal Information Collection Statement. For the statement to be effective, it should be presented in a conspicuous manner and the language used should be easily understandable.
- Principle 2 is that personal data must be accurate and, where necessary, kept up to date. Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used.
- Principle 3 is that personal data shall not be used for a purpose other than that notified to the data subject.
- Principle 4 is that appropriate measures must be taken against unauthorised or unlawful access, processing, erasure, loss or use of personal data.
- Principle 5 is that practicable steps must be taken to ensure that a data subject can understand the data user’s policies and stay informed about the kind of personal data held by a data user and the main purpose or purposes for which it is held.
- Principle 6 is that data subject should be able to find out whether a data user holds any of its personal data and to request access and correction of personal data where necessary.
In the context of investigation, data users are often advised to include in their Personal Information Collection Statement that the personal data they have collected may be used for complying with any applicable laws, regulations or rules, including those relating to detection, investigation and compulsory disclosure.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
A data user carrying out an internal investigation should comply with its obligations under the PDPO in respect of collection, use, disclosure and retention of personal data.
A party assisting with an investigation is a data processor if it holds, processes or uses personal data solely on behalf of another person, and not for its own purpose. Data processors are not directly regulated under the PDPO.Answer contributed by Matt Bower and Gwyneth Lau
Allen & Overy LLP