For the first time since the Personal Data (Privacy) Ordinance came into force in 1996, an individual has received a jail sentence for breach of the Ordinance.

The Personal Data (Privacy) Ordinance (PDPO) protects the personal data of living individuals. Any person who controls the collection, processing, storage or use of personal data in Hong Kong is subject to the requirements of the PDPO.

Breach of the PDPO or non-compliance with enforcement notices issued by the Privacy Commissioner, may amount to a criminal offence and result in a fine and/or imprisonment. For example, a person who uses personal data for direct marketing purposes without the relevant data subject’s consent will commit an offence and be subject to a maximum fine of HK$500,000 and up to three years imprisonment. Failure to comply with an enforcement notice issued by the Privacy Commissioner, which requires certain remedial or preventative steps to be taken, will also constitute an offence, and attracts a maximum fine of HK$50,000 and two years imprisonment on first conviction (with a daily penalty of HK$1,000 if the offence continues).

The case

In October 2012, an individual lodged a complaint with the Office of the Privacy Commissioner claiming that an insurance agent had obtained her personal data through unfair means.

The insurance agent had originally contacted the complainant whilst he was employed at insurance company A. The insurance agent subsequently moved to insurance company B. He then contacted the complainant and persuaded her to sign up for a new insurance policy, without disclosing the fact that he had resigned from insurance company A and the policy would be issued by insurance company B. The complainant claimed that the insurance agent had misled her, and in so doing had obtained her personal data by unfair means.

The Privacy Commissioner made enquiries with the insurance agent. In response to those enquiries, the insurance agent falsely told the Privacy Commissioner that he had been assigned to work with the complainant whilst he was employed by insurance company A. However, this was denied by insurance company A. The insurance agent had therefore committed an offence under Section 50B(1)(b)(i) of the PDPO.

Under Section 50B(1)(b)(i) of the PDPO, it is a criminal offence for a person to make a statement to the Privacy Commissioner, which he knows is false, or to knowingly mislead the Privacy Commissioner. Such an offence incurs a maximum fine of HK$10,000 and six months imprisonment.

On 4 December 2014, the insurance agent was sentenced to four weeks imprisonment.

Section 64 of the PDPO

It is worth noting that the insurance agent’s actions could have potentially fallen foul of Section 64 of the PDPO. The new Section 64 was introduced by the 2012 amendments to the PDPO, and makes it an offence for a person to disclose any personal data obtained from a data user without that data user’s consent, if:

  • that person intended to make a gain (either monetary or otherwise), for their own benefit or the benefit of another
  • that person intended to cause loss to the data subject, or
  • the disclosure caused psychological harm to the data subject.

An example of when a person may be in breach of Section 64 was given in an information leaflet issued by the Privacy Commissioner (see Offence for disclosing personal data obtained without consent from the data user, September 2012). The example concerns the sale by an employee of customers’ personal data in return for money, without the consent of his employer. In such circumstances, it would be the employee, rather than the employer, who would be guilty of an offence under Section 64, and liable to a maximum fine of HK$1,000,000 and five years imprisonment.

As no written judgment is available in respect of the insurance agent’s conviction, it is not clear whether or not his actions could have amounted to an offence under Section 64 of the PDPO. So far, no person has been charged under Section 64 of the PDPO.


This is the first time a prison sentence has been issued for a breach of the PDPO, and is likely to be only the start of such actions and convictions. We anticipate that the Hong Kong courts will start to take a more hard-line approach to offenders under the PDPO, not only in respect of Section 50B(1)(b)(i), but also other provisions, for example Section 35E (which makes it an offence to use an individual’s personal data for direct marketing without their consent), Section 50A (which makes it an offence to breach an enforcement notice issued by the Privacy Commissioner) and possibly Section 64 discussed above.

The amendments made to the PDPO in 2012, the latest suite of guidance notes issued by the Privacy Commissioner, the fact that the Privacy Commissioner is recommending an increasing number of cases for prosecution and that the courts are willing to impose custodial sentences serve to emphasise the increased attention that the protection of personal data is receiving in Hong Kong.

In addition to providing full cooperation and responding honestly to any enquiries made by the Privacy Commissioner, it is vital that all data users carry out periodic audits and put in place mechanisms and procedures that ensure that their polices and practices are in full compliance with the provisions of the PDPO at all times.


Gabriela Kennedy and Karen Lee, Mayer Brown JSM.

Copyright: The Mayer Brown Practices. All rights reserved.
More information on compliance with the PDPO and privacy management issues can be found on the website of the Office of the Privacy Commissioner for Personal Data:


SIDEBAR: Personal data protection in cross-border data transfers

Section 33 of the Personal Data (Privacy) Ordinance provides stringent and comprehensive regulation of transfer of data to outside Hong Kong. It expressly prohibits the transfer of personal data to places outside Hong Kong except in circumstances specified in the Ordinance. This ensures that the standard of protection afforded by the Ordinance to the data under transfer will not be reduced as a result of the transfer. However, Section 33 of the Ordinance is not yet in operation.

Privacy Commissioner Allan Chiang commented, ‘the situation of global data flows is markedly different today than in the 1990s when the Ordinance was enacted. Advances in technology, along with changes in organisations’ business models and practices, have turned personal data transfers into personal data flows. Data is moving across borders, continuously and in greater scales. Organisations, including small and medium-sized enterprises, are enhancing their efficiency, improving user convenience and introducing new products by practices which have implications for global data flows. They vary from storing data in different jurisdictions via the ‘cloud’ to outsourcing activities to contractors around the world. Electronic international data transfers in areas such as human resources, financial services, education, e-commerce, public safety, and health research are now an integral part of the global economy.’

‘Against this background, the issue of regulating cross-border data flows is becoming more acute than ever before. Countries worldwide are adopting a range of mechanisms to protect the personal data privacy of individuals in the context of cross-border data flows. It is high time for the administration to have a renewed focus on the implementation of Section 33 to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.’

In December last year, the Office of the Privacy Commissioner published guidance in this area. The Guidance on Personal Data Protection in Cross-Border Data Transfer seeks to assist organisations to prepare for the eventual implementation of Section 33 and enhance privacy protection for cross-border data transfer. It helps organisations understand their compliance obligations under Section 33. In particular, the PCPD has prepared a set of recommended model data transfer clauses to assist organisations in developing their cross-border data transfer agreement with the overseas data recipients. Organisations are encouraged to adopt the practices recommended in the guidance as part of their corporate governance responsibility even before Section 33 takes effect.

The ‘Guidance on Personal Data Protection in Cross-Border Data Transfer’ is available on the website of the Office of the Privacy Commissioner for Personal Data:

Source: The Office of the Privacy Commissioner for Personal Data