Global Investigations Review - The law and practice of international investigations

Data Privacy & Transfer in Investigations

Last verified on Friday 16th August 2019

Hong Kong

Matt Bower and Clement Sung
Allen & Overy LLP
  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

  2. The collection and processing of personal data in Hong Kong is regulated by the Personal Data (Privacy) Ordinance (the PDPO). 

    The Office of the Privacy Commissioner for Personal Data (the PCPD) is the regulator responsible for enforcing the PDPO. 

  3. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?

  4. Providers of banking services – implied duty of confidentiality

    A person providing banking services in Hong Kong has an implied duty of confidentiality to its clients under Hong Kong common law. This means that such an entity must not divulge confidential information about its client to any third party, unless the consent of the bank’s client is obtained or an exemption applies. The banker’s duty of confidentiality is considered to be an implied term of the contract between a banker and his or her customer, but it may be modified by express terms.

    The duty applies to any information about a client (both natural and legal persons) that a banker acquires in the course of providing banking services.

    There is no exhaustive definition of what constitutes banking services and therefore the precise scope of the banker’s duty of confidentiality is unclear. However, examples of banking services that would trigger the confidentiality obligation are:

    • keeping current accounts for customers, in which credits and debits are entered;
    • accepting money from and collecting cheques for customers and placing them in credit; and
    • paying cheques drawn on those accounts and debiting customers accordingly.

    These essential characteristics of banking are not exhaustive and transactions that lack these characteristics may still be considered banking. As a result, the banker’s duty of confidentiality may well apply to persons that do not consider themselves to be banks.

    Certain exemptions apply to the banker’s duty of confidentiality at common law. These include those situations where:

    • the express or implied consent of the client has been obtained;
    • there is a duty to the public to disclose such information;
    • Hong Kong law or court order compels disclosure; or
    • the interests of the bank require disclosure.

    The Organized and Serious Crime Ordinance (the OSCO) is one of the major statutory exceptions to the common law duty of confidentiality. A person is required under OSCO to make a disclosure to "authorised officers" (eg, police officers) where that person knows or suspects that any property, among others, in whole or in part directly or indirectly represents the proceeds of an indictable offence. In the context of property passing through a bank account, this may require the disclosure to an authorised officer of account information subject to the banker’s duty of confidentiality.

    A client can claim damages for breach of confidentiality by a bank. These are usually nominal damages, unless the client has suffered financial loss. Injunctive relief is also available.

    In addition to the banker’s duty of confidentiality at common law, authorised institutions (ie, licensed banks, restricted licence banks, and deposit-taking companies regulated by the Hong Kong Monetary Authority (the HKMA)) (AIs) are also required to comply with regulatory guidance issued by the HKMA.

    That guidance includes circulars on customer data protection and a module in the HKMA’s Supervisory Policy Manual regarding outsourcing (SA-2). A detailed analysis of outsourcing laws is beyond the scope of this chapter; however, in summary, where an AI engages in outsourcing, it is expected under SA-2 to: ensure that outsourcing arrangements comply with the relevant requirements (eg, the PDPO and the banker’s duty of confidentiality), have controls in place to ensure that these requirements are observed and proper safeguards are established to protect the integrity and confidentiality of customer information, notify customers of the possibility that their data may be provided to another person as part of an outsourcing arrangement, and ensure that all customer data is destroyed or retrieved (as permitted by law) where an outsourcing arrangement is terminated. AIs should discuss any outsourcing plans with the HKMA in advance and should be prepared to satisfy the HKMA that issues relating to customer data, among others, are properly addressed.

    The HKMA has also endorsed the Hong Kong Association of Banks’ Code of Banking Practice, which makes reference to AIs’ obligations under the PDPO and the relevant codes of practice issued by the PCPD, and reminds banks to comply with the relevant requirements.

    Breach of the HKMA’s regulatory guidance or the Code of Banking Practice does not, by itself, allow a customer to claim damages. However, it may lead to disciplinary action by the HKMA against the AI concerned, which in extreme cases can include suspension or revocation of the AI’s banking licence.

    Other persons

    Persons other than providers of banking services may also be subject to a duty of confidentiality depending on the circumstances. The most common situation in which a duty of confidentiality may arise is where information is received in the course of a relationship which a reasonable person would regard as involving a duty of confidentiality. Such relationships may include agents, trustees, partners, directors, employees and professionals, such as doctors and accountants.

    Although not exhaustive, the generally recognised exemptions to this duty of confidentiality, and the consequences of breach of this duty, are the same as those that apply to the banker’s duty of confidentiality, discussed above. 

    Official Secrets Ordinance

    Persons who come into possession of official information relating to security or intelligence services, defence, international relations, or criminal investigations are, under certain circumstances, prohibited under the Official Secrets Ordinance from disclosing such information. The Official Secrets Ordinance is unlikely to be relevant to an investigation unless the person being investigated has a relationship with a government that would put that person in a position such that it is likely to receive such information.

  5. 3.

    What can constitute personal data for the purposes of data protection laws?

  6. The PDPO defines personal data as any data relating directly or indirectly to a living individual, from which it is “practicable” for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable.

    “Practicable” is defined as “reasonably practicable”. When considering whether data is personal data, the PCPD will consider all relevant data controlled by the party in question. If it is reasonably practicable for that party to ascertain from the totality of such data the identity of the data subject, then the data is personal data and the PDPO applies. It is commonly understood that a person’s name in isolation generally does not constitute personal data.

  7. 4.

    Does personal data protection relate only to natural persons or also legal persons?

  8. Personal data protection extends only to natural persons, not to legal persons such as companies.  

  9. 5.

    To whom do data protection laws apply?

  10. In relation to transfers of personal data, the direct obligations under the PDPO are only applicable to “data users”. A data user is defined as a person who (either alone or jointly or in common with others) controls the collection, holding, processing or use (which includes disclosure or transfer) of the data.  

    A data processor is not obliged to comply with the requirements of the PDPO in respect of any personal data for which it is a data processor. A person is taken to be a data processor if he holds, processes or uses personal data solely on behalf of another person, and not for his own purpose.

  11. 6.

    What acts or operations on personal data are regulated by data protection laws?

  12. The acts regulated by the PDPO are the collection, use, disclosure and retention of personal data. There are currently no restrictions on the cross-border transfer of personal data over and above those in place for transfers of personal data within Hong Kong. A provision has been enacted that would place extra restrictions on cross-border transfers (section 33 of the PDPO), but it has not yet been implemented (see question 16).

  13. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?

  14. Personal data must be processed in accordance with the six principles set out in the PDPO.

    • Principle 1 is that personal data must be collected by means that are lawful and fair in the circumstances. All practicable steps must also be taken to ensure the data subject is explicitly or implicitly informed of their rights and obligations.

    To comply with this principle, the data subject must be given certain information when their personal data is collected. This includes whether it is obligatory to supply the data and any consequences of not supplying the data. The data subject should be explicitly informed of the purpose for which the data is to be used and the classes of person to whom the data will be transferred. This information is usually provided by way of a written notice, which is generally referred to as a Personal Information Collection Statement. For the statement to be effective, it should be presented in a conspicuous manner and the language used should be easily understandable.

    • Principle 2 is that personal data must be accurate and, where necessary, kept up to date. Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used.
    • Principle 3 is that personal data shall not be used for a purpose other than that notified to the data subject.
    • Principle 4 is that appropriate measures must be taken against unauthorised or unlawful access, processing, erasure, loss or use of personal data.
    • Principle 5 is that practicable steps must be taken to ensure that a data subject can understand the data user’s policies and stay informed about the kind of personal data held by a data user and the main purpose or purposes for which it is held.
    • Principle 6 is that data subject should be able to find out whether a data user holds any of its personal data and to request access and correction of personal data where necessary.

    Hong Kong law does not recognise the concept of special categories of personal data, such as sensitive personal data.

    Apart from the six principles above, the PDPO also restricts the processing of personal data for direct marketing purposes.

    "Direct marketing" includes offering or advertising of goods or services through ‘direct marketing means’ (ie, sending information or making phone calls to specific persons).

    Data users who intend to use data subjects’ personal data in direct marketing must (i) inform the data subjects of the data user’s intention to use their personal data for that purpose and that the data user may not use their personal data for direct marketing unless the data user receives their consent, (ii) provide the data subjects with information on the intended use of their personal data for direct marketing (including the kinds of personal data to be used and the classes of marketing subjects in relation to which the data is to be used), (iii) provide a channel through which the data subjects may, without charge by the data user, communicate their consent, and (iv) obtain such consent. A data user must also notify data subjects when using their personal data in direct marketing for the first time.

    The requirements for data users who intend to provide data subjects’ personal data to third parties for their use in direct marketing are even stricter, and include the requirement to provide certain information (eg, whether their personal data will be provided for gain and the classes of persons to whom the data will be provided) to data subjects in writing and the requirement to obtain data subjects’ consent in writing. 

    If at any time a data subject requests that a data user stop using, or stop providing to third parties, their personal data for direct marketing, the data user must comply without levying a charge on the data subject.

    Contravening the requirements for use or provision of personal data in direct marketing constitutes one or more criminal offences (see question 20).

    DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  15. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

  16. The PDPO does not restrict the transfer of personal data into Hong Kong. Data users should, however, ensure that the transfer of personal data to Hong Kong from other jurisdictions complies with the domestic data privacy laws of the originating jurisdiction. Transfers within Hong Kong should be compliant with the principles for processing personal data under the PDPO.

  17. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

  18. If a data user engages a local or overseas data processor to process personal data on its behalf, the data user must adopt contractual or other means to prevent any personal data transferred to the data processor from being kept longer than necessary for the specified processing and to prevent the unauthorised or accidental access, processing, erasure, loss, or use of the personal data. Also see question 15.

  19. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

  20. Whether consent is needed depends on the purposes for which the personal data was originally collected from the data subject. If the investigation falls within those purposes (which is a question of fact), no consent would be required. If the investigation falls outside those purposes, subject to a consideration of potentially applicable exemptions (see question 17), express consent would be required.

    If consent is required, it must be express and not withdrawn by notice in writing served on the person to whom the consent has been given.

    Express consent can be given either orally or in writing. Consent can be obtained through a website as long as the other requirements of the PDPO (see question 7) are met.

  21. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?

  22. Yes, consent should be considered as an enabling action when planning out an investigation.

  23. 12.

    Is it possible for data subjects to give their consent to such processing in advance?

  24. Yes, data subjects can give their consent through standard terms and conditions as long as the requirements of the PDPO (see question 7) are satisfied. Consent language should be presented in a manner that renders it easily readable and understandable in terms of its length, complexity, font size and accessibility.

  25. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

  26. Under Principle 6 in the PDPO (see question 7), a data subject or a relevant person acting on their behalf can ask for confirmation that a data user holds personal data for which he is the data subject, request access to this data and ask for it to be corrected if it is inaccurate. 

    A “relevant person” could be a parent of the data subject, a person appointed by the court, or a person authorised in writing by the individual.

    Under the PDPO, the normal time period for complying with a data access request is 40 days after the receipt of such request.

    There are various grounds on which the data user can refuse to comply with a data access request. The data user is entitled to refuse to comply with a request if the same is not made in the form prescribed under the PDPO. The form has been designed to make clear the following matters:

    • the fact that a data access request is being made under the PDPO;
    • the particular provision(s) of the PDPO under which such request is being made;
    • the precise scope of the data to which the request relates; and
    • the way of handling (including the time for compliance with) the request and possible consequences of failure to do so.

    Another key exemption is that the data user should, where the personal data requested also contains the personal data of another individual(s), refuse to comply with the request unless consent from that person is obtained or the personal data of that other individual is erased from the data before release.

    A data user is obliged to give to the requestor written notification of the refusal and reasons for the refusal.

    Where the scope of the data access request is too generic (eg, “all of my data”) and, in the absence of any information from the requestor to specify or to otherwise assist in locating the data requested, the data user’s duty of compliance may only extend to such data as it may reasonably and practicably be expected to provide.

    It is important to note that the data requester is entitled to a copy of his or her personal data only, not every document that refers to him or her.

    After personal data has been provided to the requestor pursuant to a data access request, the requestor may request the correction of such data. The data user is obliged to comply with a data correction request only if it is satisfied that the personal data to which the data correction request relates is inaccurate.

    As part of the investigation, if data has been disclosed to third parties by the data user, and data access and correction requests are then received, the data user should ascertain whether the third party has ceased using that data. If the data user has no reason to believe that the third party has ceased using the data for the purpose for which it was disclosed, the data user should take all practicable steps to supply the third party with a copy of the corrected personal data and a written notice of the reasons for the correction.

    Exemptions are provided under the PDPO from the application of Principle 6 where:

    • data is held for the purposes of, among other things, the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, dishonesty, or malpractice, or discharging certain functions of a financial regulator; and
    • the requests would either be likely to prejudice any of those purposes, or be likely to identify directly or indirectly the person who is the source of the data.

    Therefore in the context of an investigation, a data user would be able to resist data access and correction requests regarding data held for the aforesaid purposes to the extent that complying with the request would prejudice those purposes or identify the source of data. A data subject would still be able to access or correct data that would not prejudice those purposes.

    TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  27. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

  28. Law firms and other external processing agents, if they process data on behalf of another person and not for their own purposes, are regarded as data processors. This is usually the case when law firms and other agents are engaged to provide services in the context of an investigation.

  29. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

  30. Under the PDPO, unless an exemption applies, personal data cannot be transferred to another person for a new purpose unless the consent of the data subject has been obtained. A new purpose means any purpose other than that for which the data was to be used at the time of its collection or one directly related to that purpose.  

    If personal data disclosed to a third party is materially inaccurate, all practicable steps must be taken to ensure that the third party is informed that the data is inaccurate and is provided with enough information to rectify the inaccuracy. See also question 13. The right to conduct the transfer remains.

    As to the use by a data user of third-party data processors to process data on its behalf, see question 9.

  31. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

  32. There is currently no restriction on the cross-border transfer of personal data over and above those in place for transfers of personal data within Hong Kong.

    A provision has been enacted that would place extra restrictions on cross-border transfers (section 33 of the PDPO), but it has not yet been brought into force. Were it in force, data users would be prohibited from transferring data to a place outside of Hong Kong unless:

    • the data user has reasonable grounds for believing that there is in force in that place any law that is substantially similar to, or serves the same purposes as, the PDPO;
    • the data subject has consented to the transfer in writing;
    • the data user has reasonable grounds to believe that the transfer is for the avoidance or mitigation of adverse action against the data subject, where it is not practicable to obtain consent but if it was practicable to obtain such consent, the data subject would give it; or
    • the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed or used in any manner which, if the place were Hong Kong, would be a contravention of a requirement under the PDPO.

    Section 33 also contains certain exemptions to the cross-border transfer restrictions, such as for certain transfers for the purposes of preventing and investigating crime. 

    The transfer restrictions will not apply to transfers to jurisdictions set out by the PCPD in a notice published in the Gazette, or jurisdictions where the data user has reason to believe an equivalent law to the PDPO is in force. As at the date of this survey, there is no indication yet which jurisdictions these would be.

    In May 2017, the government put before the Legislative Council preliminary findings of a business impact assessment on the implementation of section 33. As at the date of this survey, no timetable of its implementation has yet been set by the authorities.

    Large corporations and financial institutions in Hong Kong tend to follow section 33 as if it were in force as a precautionary measure; the HKMA advises in SA-2 that AIs take account of section 33 and the potential impact on their plans for overseas outsourcing.

    TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  33. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

  34. Any transfer of personal data to regulators within Hong Kong must comply with the principles set out in the PDPO (see question 7) including, for example, that personal data shall not be used for a purpose other than that notified to the data subject. 

    There are, however, exemptions to the general prohibition (Principle 3) under the PDPO:

    • where the data is used for, among other things, the prevention, preclusion or remedying (including punishment) of unlawful or seriously improper conduct, dishonesty, or malpractice, or discharging certain functions of a financial regulator; and not disclosing the data would be likely to prejudice such purposes; or
    • the disclosure is required by a law in Hong Kong.

    It is therefore often the case that disclosure of personal data to Hong Kong regulators as part of an investigation falls within the exception to Principle 3.

    For example, the Securities and Futures Commission may, during the course of an investigation and under the Securities and Futures Ordinance, issue to a bank a notice to produce certain records or documents that may contain a customer’s account information. Disclosure of personal data by the bank pursuant to the notice would fall under the second exception above.

  35. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

  36. Any transfer of personal data to regulators outside Hong Kong must comply with the principles in the PDPO (see question 7).  As there is currently no legislative provision applying to cross-border data transfers, there are no additional restrictions relating to the transfer of data to a regulator in another jurisdiction.

  37. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

  38. Data users should be cautious when handling requests for disclosure from a regulator. By way of example, a bank was criticised by the PCPD for providing personal data of a police officer to the police for its internal disciplinary investigation, without the consent of the officer and without questioning the nature and purpose of the request. The PCPD considered that there was simply insufficient information available to satisfy the PCPD that the situation was serious enough to fall under the “seriously improper conduct” exception under the PDPO, hence the bank’s disclosure was unjustified and in breach of data protection principles. 

    Faced with such requests, the data user should consider:

    • the purpose for which the data is required;
    • whether the data user has obtained adequate consent from the data subject, and if not, whether it could now do so, provided that seeking consent now would not breach any other law;
    • whether the personal data requested can be obtained from other sources;
    • how the lack of such data may prejudice the purpose of obtaining the data; and
    • whether the request to provide the data was made subject to legal compulsion under Hong Kong law.
  39. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?

  40. Contravention of the requirements relating to the use, or provision to third parties for their use, of personal data for direct marketing constitutes one or more criminal offences. In addition, a criminal offence is committed if any person discloses personal data obtained from a data user without the data user’s consent with the intent to profit financially or cause loss to the data subject, or if the disclosure causes psychological harm to the data subject. The maximum penalty for each offence is a fine of HK$1 million and imprisonment for up to five years.  

    The PCPD can conduct its own investigations, regardless of whether a complaint is received, about suspected breaches of the PDPO. If the PCPD, following completion of an investigation, finds that the relevant data user has contravened a requirement under the PDPO, the PCPD may issue an enforcement notice requiring the data user to remedy the contravention. Non-compliance with the notice is a criminal offence. On first conviction, the maximum penalty is a fine of HK$50,000 and imprisonment for two years, and a daily fine of HK$1,000 if the offence continues after conviction. 

    If section 33 of the PDPO comes into operation, a failure to comply with the restrictions on cross-border transfer will constitute a criminal offence carrying a maximum penalty of a fine of HK$10,000. If an offence is committed by a body corporate with the consent, connivance or negligence of any director, manager, secretary or similar officer of the body corporate, that person will be considered equally guilty of the offence under the PDPO.

    A data subject who suffers damage or distress in addition to damage through a breach of the PDPO by a data user may seek compensation from the data user. Compensation is awarded by the courts and not the PCPD.

    CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  41. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?

  42. In addition to those obligations mentioned in question 15, as a matter of good practice, the PCPD further recommends the following: 

    • it should be made plain to data subjects when collecting their personal data that their data may be processed by data processors;
    • proper records of all personal data transferred for processing should be kept; and
    • inspections should be made by the data user to establish how the processor handles and stores personal data (this should be provided for in the contract).
  43. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?

  44. Any intervening data users are obliged to observe and comply with the requirements of PDPO. Their obligations are therefore the same as the original data users.

    RELEVANT MATERIALS

  45. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Interested in contributing to this Know-how?

E-mail our Insight Manager


Questions

  1. 1.

    What laws and regulations in your jurisdiction regulate the collection and processing of personal data?


  2. 2.

    What other laws and regulations may prevent data sharing in the context of an investigation?


  3. 3.

    What can constitute personal data for the purposes of data protection laws?


  4. 4.

    Does personal data protection relate only to natural persons or also legal persons?


  5. 5.

    To whom do data protection laws apply?


  6. 6.

    What acts or operations on personal data are regulated by data protection laws?


  7. 7.

    What are the principal obligations on data controllers to ensure the proper processing of personal data?


  8. DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

  9. 8.

    Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?


  10. 9.

    Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?


  11. 10.

    Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?


  12. 11.

    If not mandatory, should consent still be considered when planning and carrying out an investigation?


  13. 12.

    Is it possible for data subjects to give their consent to such processing in advance?


  14. 13.

    What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?


  15. TRANSFER FOR LEGAL REVIEW AND ANALYSIS

  16. 14.

    How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?


  17. 15.

    Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?


  18. 16.

    What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?


  19. TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

  20. 17.

    Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?


  21. 18.

    Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?


  22. 19.

    What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?


  23. 20.

    What are the sanctions and penalties for non-compliance with data protection laws?


  24. CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

  25. 21.

    What are the continuing obligations on the original data controller that apply in an investigation?


  26. 22.

    What are the continuing obligations on any intervening data controller that apply in an investigation?


  27. RELEVANT MATERIALS

  28. 23.

    Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.