Data Privacy & Transfer in Investigations: Hong Kong

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Hong Kong

The collection and processing of personal data in Hong Kong is regulated by the Personal Data (Privacy) Ordinance (the PDPO).

The PDPO is applicable to both the private and the public sectors. In particular, the PDPO outlines six Data Protection Principles, which are contained in Schedule 1 to the PDPO, regarding how data users should collect, handle and use personal data, complemented by other provisions imposing further compliance requirements.

The Office of the Privacy Commissioner for Personal Data (the PCPD) is the regulator responsible for enforcing the PDPO.

With a view to keeping up with international standards and to combat a surge in doxxing activities since 2019, major amendments to the PDPO were recently introduced with the Personal Data (Privacy) (Amendment) Ordinance 2021 coming into effect on 8 October 2021 (the Amendment Ordinance). 

Most notably, the Amendment Ordinance:

• criminalises doxxing, by introducing a two-tier doxxing offence. The lower tier offence – disclosing any personal data without the data subject’s consent, with the intention of or being reckless as to the causing of any specified harm to the data subject or their family member. The higher tier offence – disclosing any personal data without the data subject’s consent, with the intention of or being reckless as to the causing of any specified harm to the data subject or their family member and harm is so caused. ‘Specified harm’ means, in relation to a person: (i) harassment, molestation, pestering, threat or intimidation to the person; (ii) bodily harm or psychological harm to the person; (ii) harm causing the person reasonably to be concerned for the person’s safety or well-being; or (iv) damage to the property of the person; 
• empowers the PCPD to compel disclosure and assistance from persons in possession of any material relevant to an investigation of a doxxing offence; and 
• confers on the PCPD statutory powers to demand the cessation of doxxing conduct. A cessation notice has extra-territorial effect and requires cessation action to be taken within a designated timeframe. It may be served on a person in Hong Kong or a ‘non-Hong Kong service provider’ that has provided or is providing any service (whether or not in Hong Kong) to any Hong Kong person.

There are currently no restrictions on the cross-border transfer of personal data over and above those in place for transfers of personal data within Hong Kong. A provision has been enacted that would place extra restrictions on cross-border transfers (section 33 of the PDPO), but it has not yet been implemented.

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Hong Kong

Providers of banking services – implied duty of confidentiality

A person providing banking services in Hong Kong has an implied duty of confidentiality to its clients under Hong Kong common law. This means that such an entity must not divulge confidential information about its client to any third party, unless the consent of the bank’s client is obtained or an exemption applies. The banker’s duty of confidentiality is considered to be an implied term of the contract between a banker and his or her customer, but it may be modified by express terms.

The duty applies to any information about a client (both natural and legal persons) that a banker acquires in the course of providing banking services.

There is no exhaustive definition of what constitutes banking services and therefore the precise scope of the banker’s duty of confidentiality is unclear. However, examples of banking services that would trigger the confidentiality obligation are:

• keeping current accounts for customers, in which credits and debits are entered;
• accepting money from and collecting cheques for customers and placing them in credit; and
• paying cheques drawn on those accounts and debiting customers accordingly.

These essential characteristics of banking are not exhaustive and transactions that lack these characteristics may still be considered banking. As a result, the banker’s duty of confidentiality may well apply to persons that do not consider themselves to be banks.

Certain exemptions apply to the banker’s duty of confidentiality at common law. These include those situations where:

• the express or implied consent of the client has been obtained;
• there is a duty to the public to disclose such information;
• Hong Kong law or court order compels disclosure; or
• the interests of the bank require disclosure.

In conflict with the banker’s duty of confidentiality and in support of the duty to the public to disclose such confidential information is the principle of open administration of justice. In X v Y [2014] 5 HKLRD 823, it was held that only the most exceptional circumstances would justify proceedings being held behind closed doors, and any departure from the principle of open administration of justice should be no more than the minimum that is reasonably necessary to protect the legitimate interests that it is said would justify a private hearing. Thus, in most cases, the duty to the public and principle of open administration of justice would override the banker’s common law duty of confidentiality.

A client can claim damages for breach of confidentiality by a bank. These are usually nominal damages, unless the client has suffered financial loss. Injunctive relief is also available.

The Organized and Serious Crime Ordinance (the OSCO) is one of the major statutory exceptions to the common law duty of confidentiality. A person is required under OSCO to make a disclosure to "authorised officers" (eg, police officers) where that person knows or suspects that any property, among others, in whole or in part directly or indirectly represents the proceeds of an indictable offence. In the context of property passing through a bank account, this may require the disclosure to an authorised officer of account information subject to the banker’s duty of confidentiality.

In addition to the banker’s duty of confidentiality at common law, authorised institutions (AIs) (ie, licensed banks, restricted licence banks, and deposit-taking companies regulated by the Hong Kong Monetary Authority (the HKMA)) are also required to comply with regulatory guidance issued by the HKMA. That guidance includes circulars on customer data protection and a module in the HKMA’s Supervisory Policy Manual regarding outsourcing (SA-2). A detailed analysis of outsourcing laws is beyond the scope of this chapter; however, in summary, where an AI engages in outsourcing, it is expected under SA-2 to: ensure that outsourcing arrangements comply with the relevant requirements (eg, the PDPO and the banker’s duty of confidentiality), have controls in place to ensure that these requirements are observed and proper safeguards are established to protect the integrity and confidentiality of customer information, notify customers of the possibility that their data may be provided to another person as part of an outsourcing arrangement, and ensure that all customer data is destroyed or retrieved (as permitted by law) where an outsourcing arrangement is terminated. AIs should discuss any outsourcing plans with the HKMA in advance and should be prepared to satisfy the HKMA that issues relating to customer data, among others, are properly addressed.

The HKMA has also endorsed the Hong Kong Association of Banks’ Code of Banking Practice, which makes reference to AIs’ obligations under the PDPO and the relevant codes of practice issued by the PCPD, and reminds banks to comply with the relevant requirements.

Breach of the HKMA’s regulatory guidance or the Code of Banking Practice does not, by itself, allow a customer to claim damages. However, it may lead to disciplinary action by the HKMA against the AI concerned, which in extreme cases can include suspension or revocation of the AI’s banking licence.

Other persons

Persons other than providers of banking services may also be subject to a duty of confidentiality depending on the circumstances. The most common situation in which a duty of confidentiality may arise is where information is received in the course of a relationship that a reasonable person would regard as involving a duty of confidentiality. Such relationships may include agents, trustees, partners, directors, employees and professionals, such as doctors and accountants.

Although not exhaustive, the generally recognised exemptions to this duty of confidentiality, and the consequences of breach of this duty, are the same as those that apply to the banker’s duty of confidentiality, discussed above. 

Official Secrets Ordinance

Persons who come into possession of official information relating to security or intelligence services, defence, international relations or criminal investigations are, under certain circumstances, prohibited under the Official Secrets Ordinance from disclosing such information. The Official Secrets Ordinance is unlikely to be relevant to an investigation unless the person being investigated has a relationship with a government that would put that person in a position such that it is likely to receive such information.

National Security Law

Under the Hong Kong National Security Law (the HKNSL), which came into effect on 30 June 2020, it is an offence to unlawfully provide state secrets or intelligence concerning national security to a foreign country or an institution, organisation or individual outside the mainland, Hong Kong and Macao of the People’s Republic of China (article 29). For this purpose, state secrets and intelligence concerning national security are to be defined and determined under PRC law.

3. What constitutes personal data for the purposes of data protection laws?

Hong Kong

The PDPO defines personal data as any data relating directly or indirectly to a living individual, from which it is ‘practicable’ for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable.

‘Practicable’ is defined as ‘reasonably practicable’. When considering whether data is personal data, the PCPD will consider all relevant data controlled by the party in question. If it is reasonably practicable for that party to ascertain from the totality of such data the identity of the data subject, then the data is personal data and the PDPO applies. It is commonly understood that a person’s name in isolation generally does not constitute personal data.

Personal data protection extends only to natural living persons, not to legal persons such as companies or deceased natural persons. 

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Hong Kong

The PDPO does not expressly provide for extra-territorial application. It was acknowledged in a previous investigation against Yahoo! Hong Kong Limited that in the absence of such provision, the PDPO does not extend to bind any act committed by a foreign party on foreign soil. 

For instance, the territorial principle is illustrated by section 39(1)(d) of the PDPO, concerning the conditions which need to be fulfilled before the Commissioner can exercise her powers of investigation. In essence, the Commissioner must be satisfied that there consists of a territorial link that a complainant is present in Hong Kong, or was at the relevant time a resident of Hong Kong, or some relevant rights had been acquired in Hong Kong that the Commissioner's opinion will be prejudiced by the act or practice complained of. 

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Hong Kong

Personal data must be processed in accordance with the six Data Protection Principles set out in the PDPO.

• Principle 1 is that personal data must be collected by means that are lawful and fair in the circumstances. All practicable steps must also be taken to ensure the data subject is explicitly or implicitly informed of their rights and obligations. To comply with this principle, the data subject must be given certain information when their personal data is collected. This includes whether it is obligatory to supply the data and any consequences of not supplying the data. The data subject should be explicitly informed of the purpose for which the data is to be used and the classes of person to whom the data will be transferred. This information is usually provided by way of a written notice, which is generally referred to as a Personal Information Collection Statement. For the statement to be effective, it should be presented in a conspicuous manner and the language used should be easily understandable. 
• Principle 2 is that personal data must be accurate and, where necessary, kept up to date. Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used. 
• Principle 3 is that personal data shall not be used for a purpose other than that notified to the data subject. 
• Principle 4 is that appropriate measures must be taken against unauthorised or unlawful access, processing, erasure, loss or use of personal data.
• Principle 5 is that practicable steps must be taken to ensure that a data subject can understand the data user’s policies and stay informed about the kind of personal data held by a data user and the main purpose or purposes for which it is held.
• Principle 6 is that data subject should be able to find out whether a data user holds any of its personal data and to request access and correction of personal data where necessary.

In the context of investigation, data users are often advised to include in their Personal Information Collection Statement that the personal data they have collected may be used for complying with any applicable laws, regulations or rules, including those relating to detection, investigation and compulsory disclosure.

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Hong Kong

A data user carrying out an internal investigation should comply with its obligations under the PDPO in respect of collection, use, disclosure and retention of personal data.

A party assisting with an investigation is a data processor if it holds, processes or uses personal data solely on behalf of another person, and not for its own purpose. Data processors are not directly regulated under the PDPO. 

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Hong Kong

Whether consent is needed depends on the purposes for which the personal data was originally collected from the data subject. If the investigation falls within those purposes (which is a question of fact), no new consent would be required. If the investigation falls outside those purposes, subject to a consideration of potentially applicable exemptions, express consent would be required.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Hong Kong

Yes, consent should be considered as an enabling action when planning an investigation.

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Hong Kong

Yes, provided that the consent obtained is express, by its terms extends to investigations, and voluntarily provided. The employee should be informed of the purposes of which the data will be used, whom it would be transferred to, and his rights to make data access and correction requests.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Hong Kong

Consent must be express and not withdrawn by notice in writing served on the person to whom the consent has been given.

It can be obtained either orally or in writing, and in advance, as long as the other requirements of the PDPO are met. Typically, consent is obtained through standard terms and conditions. Consent language should be presented in a manner that renders it easily readable and understandable in terms of its length, complexity, font size and accessibility.

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Hong Kong

Under Principle 6 in the PDPO, a data subject or a relevant person acting on their behalf can ask for confirmation that a data user holds personal data for which he is the data subject, request access to this data and ask for it to be corrected if it is inaccurate.

A ‘relevant person’ could be a parent of the data subject, a person appointed by the court, or a person authorised in writing by the individual.

Under the PDPO, the normal time period for complying with a data access request is 40 days after the receipt of such request.

There are various grounds on which the data user can refuse to comply with a data access request. The data user is entitled to refuse to comply with a request if the same is not made in the form prescribed under the PDPO. The form has been designed to make clear the following matters:

• the fact that a data access request is being made under the PDPO;
• the particular provision(s) of the PDPO under which such request is being made;
• the precise scope of the data to which the request relates; and
• the way of handling (including the time for compliance with) the request and possible consequences of failure to do so.

Another key exemption is that the data user should, where the personal data requested also contains the personal data of another individual(s), refuse to comply with the request unless consent from that person is obtained or the personal data of that other individual is erased from the data before release.

A data user is obliged to give to the requestor written notification of the refusal and reasons for the refusal

Where the scope of the data access request is too generic (eg, ‘all of my data’) and, in the absence of any information from the requestor to specify or to otherwise assist in locating the data requested, the data user’s duty of compliance may only extend to such data as it may reasonably and practicably be expected to provide.

It is important to note that the data requester is entitled to a copy of his or her personal data only, not every document that refers to him or her.

After personal data has been provided to the requestor pursuant to a data access request, the requestor may request the correction of such data. The data user is obliged to comply with a data correction request only if it is satisfied that the personal data to which the data correction request relates is inaccurate.

As part of the investigation, if data has been disclosed to third parties by the data user, and data access and correction requests are then received, the data user should ascertain whether the third party has ceased using that data. If the data user has no reason to believe that the third party has ceased using the data for the purpose for which it was disclosed, the data user should take all practicable steps to supply the third party with a copy of the corrected personal data and a written notice of the reasons for the correction.

Exemptions are provided under the PDPO from the application of Principle 6, including where:

• data is held for the purposes of, among other things, the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, dishonesty or malpractice, or discharging certain functions of a financial regulator; and
• the requests would either be likely to prejudice any of those purposes, or be likely to identify directly or indirectly the person who is the source of the data.

Therefore in the context of an investigation, a data user would be able to resist data access and correction requests regarding data held for the aforesaid purposes to the extent that complying with the request would prejudice those purposes or identify the source of data. A data subject would still be able to access or correct data that would not prejudice those purposes.

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Hong Kong

If a data user engages a third-party data processor to process personal data on its behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for the specified processing and to prevent the unauthorised or accidental access, processing, erasure, loss, or use of the personal data.

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Hong Kong

Yes. 

Under Principle 3 of the PDPO, unless an exemption applies or consent is obtained from the data subject, personal data cannot be used for a new purpose and as such could not be transferred to a third party (in this instance a law firm) for the purpose of obtaining legal advice. A new purpose means any purpose other than that for which the data was to be used at the time of its collection or one directly related to that purpose. 

With appropriate consent, the data could be shared with law firms for that purpose.

In addition, section 60B of the PDPO provides that the use of personal data is exempt from Principle 3 if it is:

• required or authorised by or under any enactment, by any rule of law or by an order of a court in Hong Kong;
• required in connection with any legal proceedings in Hong Kong; or
• required for establishing, exercising or defending legal rights in Hong Kong

A requirement under a foreign law is not adequate for this purpose.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Hong Kong

Law firms, if they process data on behalf of another person and not for their own purposes, are regarded as data processors. This is usually the case when law firms are engaged to provide services in the context of an investigation. Under the current law, law firms are not obliged to comply with the requirements of the PDPO in respect of any personal data for which they are data processors, although this position may change if the PDPO’s scope is expanded to cover data processors.

15. What is the position and status of legal process outsourcing firms under data protection laws?

Hong Kong

Legal process outsourcing firms and other external processing agents are regarded as data processors if they process data on behalf of another person and not for their own purposes.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Hong Kong

If personal data disclosed to a third party is materially inaccurate, all practicable steps must be taken to ensure that the third party is informed that the data is inaccurate and is provided with enough information to rectify the inaccuracy.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Hong Kong

There is currently no restriction on the cross-border transfer of personal data over and above those in place for transfers of personal data within Hong Kong.

Transfers to a third party in another country must therefore be a purpose for which the data has been collected or be subject to consent.

A provision has been enacted that would place extra restrictions on cross-border transfers (section 33 of the PDPO), but it has not yet been brought into force. Were it in force, data users would be prohibited from transferring data to a place outside of Hong Kong unless:

• the data user has reasonable grounds for believing that there is in force in that place any law that is substantially similar to, or serves the same purposes as, the PDPO;
• the data subject has consented to the transfer in writing;
• the data user has reasonable grounds to believe that the transfer is for the avoidance or mitigation of adverse action against the data subject, where it is not practicable to obtain consent but if it was practicable to obtain such consent, the data subject would give it; or
• the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if the place were Hong Kong, would be a contravention of a requirement under the PDPO

Section 33 also contains certain exemptions to the cross-border transfer restrictions, such as for certain transfers for the purposes of preventing and investigating crime.

The transfer restrictions will not apply to transfers to jurisdictions set out by the PCPD in a notice published in the Gazette, or jurisdictions where the data user has reason to believe an equivalent law to the PDPO is in force. As at the date of this survey, there is no indication yet which jurisdictions these would be.

In May 2017, the government put before the LegCo preliminary findings of a business impact assessment on the implementation of section 33.

As at the date of this survey, no timetable for its implementation has been set by the authorities.

The PCPD is still in the process of assessing the impact of section 33, were it in force, on businesses, and will formulate the steps forward, to bring the section in effect.

Large corporations and financial institutions in Hong Kong tend to follow section 33 as if it were in force as a precautionary measure; the HKMA advises in SA-2 that AIs take account of section 33 and the potential impact on their plans for overseas outsourcing. Moreover, PCPD also actively promotes GDPR compliance for Hong Kong businesses when handling cross-border data transfer.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Hong Kong

See question 17.

Further, although the PDPO does not restrict the transfer of personal data into Hong Kong, data users should ensure that the transfer of personal data to Hong Kong from other jurisdictions complies with the domestic data privacy laws of the originating jurisdiction. Transfers within Hong Kong should be compliant with the principles for processing personal data under the PDPO.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Hong Kong

Any transfer of personal data to regulators within Hong Kong must comply with the principles set out in the PDPO (see question 7.) including, for example, that personal data shall not be used for a purpose other than that notified to the data subject. 

There are, however, exemptions to the general prohibition (Principle 3) under the PDPO, including:

• where the data is used for, among other things, the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, dishonesty, or malpractice, or discharging certain functions of a financial regulator; and not disclosing the data would be likely to prejudice such purposes (section 58 of the PDPO); or
• the disclosure is required by a law in Hong Kong (section 60B of the PDPO).

Disclosure of personal data to Hong Kong regulators as part of an investigation can therefore fall within the exception to Principle 3.

For example, the Securities and Futures Commission may, during the course of an investigation and under the Securities and Futures Ordinance, issue to a bank a notice to produce certain records or documents that may contain a customer’s account information. Disclosure of personal data by the bank pursuant to the notice would fall under the second exception above.

Another example worth noting is the enforcement powers under the HKNSL. Under the HKNSL, for the purpose of assisting an investigation into an offence endangering national security or the proceeds obtained with the commission of the relevant offence, the Secretary for Justice or police officers may apply to the court for an order to require a person or corporation that has the required information to answer questions within a specified time period, or to furnish or produce the relevant information or material (article 43(7) of the HKNSL and Schedule 7 to the Implementation Rules for article 43 of the HKNSL). It is conceivable that a corporation may be asked, pursuant to such powers, to disclose personal data for HKNSL investigations.

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Hong Kong

Any transfer of personal data to regulators outside Hong Kong must comply with the principles in the PDPO. As there is currently no legislative provision applying to cross-border data transfers, there are no additional restrictions relating to the transfer of data to a regulator in another jurisdiction.

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Hong Kong

Data users should be cautious when handling requests for disclosure from a regulator. By way of example, a bank was criticised by the PCPD for providing personal data of a police officer to the police for its internal disciplinary investigation, without the consent of the officer and without questioning the nature and purpose of the request. The PCPD considered that there was simply insufficient information available to satisfy the PCPD that the situation was serious enough to fall under the “seriously improper conduct” exception under the PDPO, hence the bank’s disclosure was unjustified and in breach of data protection principles. 

Faced with such requests, the data user should consider:

• the purpose for which the data is required;
• whether the data user has obtained adequate consent from the data subject, and if not, whether it could now do so, provided that seeking consent now would not breach any other law;
• whether the personal data requested can be obtained from other sources;
• how the lack of such data may prejudice the purpose of obtaining the data; and
• whether the request to provide the data was made subject to legal compulsion under Hong Kong law.

22. What are the sanctions and penalties for non-compliance with data protection laws?

Hong Kong

Contravention of the requirements relating to the use, or provision to third parties for their use, of personal data for direct marketing constitutes one or more criminal offences. In addition, a criminal offence is committed if any person discloses personal data obtained from a data user without the data user’s consent with the intent to profit financially or cause loss to the data subject, or without the data subject’s consent with the intention of or being reckless as to the causing of any specified harm to the data subject or their family member (ie, the doxxing offences). The maximum penalty for each offence is a fine of HK$1 million and imprisonment for up to five years. 

The PCPD can conduct its own investigations, regardless of whether a complaint is received, about suspected breaches of the PDPO. If the PCPD, following completion of an investigation, finds that the relevant data user has contravened a requirement under the PDPO, the PCPD may issue an enforcement notice requiring the data user to remedy the contravention. Non-compliance with the notice is a criminal offence. On first conviction, the maximum penalty is a fine of HK$50,000 and imprisonment for two years, and a daily fine of HK$1,000 if the offence continues after conviction. 

If section 33 of the PDPO comes into operation, a failure to comply with the restrictions on cross-border transfer will constitute a criminal offence carrying a maximum penalty of a fine of HK$10,000. If an offence is committed by a body corporate with the consent, connivance or negligence of any director, manager, secretary or similar officer of the body corporate, that person will be considered equally guilty of the offence under the PDPO.

A data subject who suffers damage or distress in addition to damage through a breach of the PDPO by a data user may seek compensation from the data user. Compensation is awarded by the courts and not the PCPD.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Hong Kong

The website of the PCPD

Guidance notes issued by the PCPD

Decisions of the Administrative Appeals Board