Hong Kong Privacy Law Update



The HK government recently reviewed privacy law and this has been reflected in the Personal Data (Privacy) (Amendment) Ordinance which commenced on 1 April 2013. We discuss the new position and key changes in this article.


The latest position

HK law defines “direct marketing” in a broad manner. If you directly market to contacts of a corporate client and target the corporation as opposed to the individuals themselves, then this would be considered acceptable practice.


However, it must be noted that there are several “best practice” points of recommendation:


  • You should inform the recipient that their personal data may be used for the purposes of direct marketing;
  • You should take steps to provide the recipient with an on-going opportunity to opt-out from direct marketing. Where this is done by email, it is recommended that the opportunity to opt-out is written in English and Chinese. Where a recipient has previously indicated that they wish to receive written correspondence in a specific language, that language should ideally be used to provide the recipient the opportunity to read the instructions for opting-out. If a recipient does not take steps to notify you of their objection, this may be construed as consent and is likely to assist in protecting your legal position;
  • Where group email marketing is used, it is imperative that individuals remain anonymous so that their identity is confidential. This may include copying recipients into the bcc email function and taking active steps to ensure that no personal details belonging to the recipients are visible in the group email; and
  • One issue to consider is the packaging of marketing communications. One possible method of protecting your position is to repackage your communications so that they are not necessarily perceived as marketing. For example, some service providers regularly update their customers with market updates and information. Whilst such approaches are no doubt subtle methods of marketing and/or contain marketing information, it would be more difficult to prove that such communications are necessarily “direct marketing”.


What about transferring personal data within an organisation?

In today’s globalised commercial world, many organisations may consider the possibility of transferring personal data between branches, and sometimes across jurisdictions. Whilst the data protection rules in each country are different, and legal advice should be sought in the relevant jurisdiction, the following safety measures should be taken before transferring an individual’s personal data:


  • Notify the individual:

That you intend to transfer his personal data;

  That you will not transfer their personal data without written consent;

  What the purpose of the data transfer is;

  What personal data will be transferred;

  Who the personal data will be transferred to;

  What products, facilities or services will be marketed to them; and

  How they can consent to such a transfer.

  • Ensure that the individual has provided written consent before any transfer of personal data takes place.
  • Ensure that there are sufficient measures in place to assess and monitor transfers of personal data.



Minor penalties for breach of personal data protection may include fines of up to HK$500,000 and imprisonment of up to three years. However, a defence is available where it can be proved that reasonable precautions were made to prevent breaches.


It is worth noting that serious non-compliance where personal gain is involved will constitute a criminal offence and penalties may include fines of up to HK$1,000,000 and imprisonment for up to five years.