Office of the Privacy Commissioner for Personal Data

The Office of the Privacy Commissioner for Personal Data (PCPD) is a Hong Kong statutory body enforcing the Personal Data (Privacy) Ordinance.

Description
The Privacy Commissioner is charged with securing the privacy of individuals. The office is headed by the Privacy Commissioner for Personal Data, Ada Chung.

The office is divided into different functional units: Complaints Division, Criminal Investigation Division, Compliance & Enquiries Division, Legal Division, Global Affairs & Research Division, Corporate Communications Division and Corporate Support Division. It has investigatory and enforcement powers, and publishes best practices and other guidance to organizations and the general public. It is a member of various multinational organizations, including the Global Privacy Assembly (GPA), the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEN).

Function
To guarantee the preservation and observance of personal data privacy—the Privacy Commissioner for Personal Data (PCPD) was founded in December 1996 to encourage and enforce adherence to personal data.

The vision of PCPD is to cultivate a society that values and upholds privacy rights regarding personal data. First of all, PCPD aims to raise awareness and educate citizens on personal data privacy via publicity and educational activities. Secondly, PCPD facilitates the lawful and responsible use of personal data by providing suggestions and guidelines. Thirdly, the PCPD uses effective enforcement measures in order to diligently monitor and supervise compliance. Lastly, PCPD reviews and improves continuously to align with global standards for personal data privacy protection.

The PCPD functions based on its core values which include respect for personal data privacy, integrity, embracing technological advancements, and independence. By sticking to its core values, the PCPD provides professionalism and fairness in its actions and decisions.

Therefore, in order to achieve its core values and objectives, the PCPD has developed plans and strategies in different critical areas. The PCPD collaborates with other regulators and data protection offices to manage cross-border privacy concerns and fix complaints efficiently to secure equity and fairness. The PCPD also monitors and supervises compliance, investigating significant privacy risks proactively, and helping organizational data users in meeting their core values.

History
The PCPD is an independent statutory body established on 1 August 1996, in response to statutory requirements that ratified its establishment and came into effect on 20 December 1996. The PCPD's predecessor was the “Legal Reform Commission’s Privacy Sub-committee“. According to the “Privacy Commissioner’s Overview 1999-2000”, the establishment of the Sub-committee was influenced by the "OECD Privacy Guidelines” in the early 1980s, in which Justice Micheal Kirby provided key principles for handling personal data and was regarded by the first Hong Kong’s Privacy Commissioner as the “father” of OECD (Organisation for Economic Co-operation and Development) principles for personal data protection.

Beginning in 1989, the Sub-committee undertook a review of Hong Kong laws and made recommendations to protect individuals' privacy from undue interference. This review process culminated in the enactment of the Personal Data (Privacy) Ordinance on 3 August 1995. In early 1996, the sub-committee published a consultation paper proposing measures to address illegal surveillance activities, such as making it an offence to place or use surveillance devices without the consent of the lawful occupier of private premises.

In 1997, the discussions surrounding issues like spam calls, pinhole cameras and unauthorized recording contributed to the understanding that personal data could be exposed to the risk of unauthorized or accidental access, processing, erasure, loss, or use. This realization prompted the expansion of the sub-committee's focus to include preventing unfair data collection practices in the business sector, ensuring principles like due collection means and purposes, good accuracy and retention of the data, openness and security of data, data access and correction, and fostering a culture of personal data protection and respect.

As a result, requirements were shortly introduced regarding the purpose and manner of data collection, data retention, data access and correction, disclosure and transfer of personal data, and the appropriate use of such data. The PCPD's role encompasses enforcing these provisions and promoting compliance with the Personal Data (Privacy) Ordinance including but not limited to the collection of data of public entities, in the business sector and in daily life.

Structure
The Privacy Commissioner is appointed by the Chief Executive of Hong Kong and is accountable to the Chief Executive. The primary responsibilities of the Commissioner involve overseeing and ensuring adherence to the regulations outlined in the Ordinance. These responsibilities include investigating complaints and providing guidance through the issuance of guidelines and codes of conduct. Similar to the Chief Executive Officer of Securities and Futures Commission(SFC), the Privacy Commissioner is distinct among other statutory bodies, heading a commission that possesses statutory powers of criminal investigation and enforcement, without holding the position of a principal official within the HKSAR government.

The Deputy Privacy Commissioner for Personal Data is Ms Fanny Wong. The three Assistant Privacy Commissioners are Ms Joyce Lai (Corporate Communication and Compliance), Ms Cecilia Siu (Legal, Global Affairs and Research), and Mr Billy Kwan (Complaints and Criminal Investigation).

Headed by the Privacy Commissioner, PCPD is an independent statutory body with seven functional divisions, namely Complaints Division, Criminal Investigation Division, Compliance & Enquiries Division, Legal Division, Global Affairs & Research Division, Corporate Communications Division and Corporate Support Division.

Chaired by the Privacy Commissioner, The Personal Data (Privacy) Advisory Committee (PDPAC) was created under section 11 of the Personal Data (Privacy) Ordinance with the purpose of providing guidance and advice to the Privacy Commissioner regarding personal data privacy protection and the functioning of the Ordinance. It commits to ensure an effective framework for safeguarding personal data privacy in Hong Kong.

Concurrently, the Standing Committee on Technological Developments (SCTD) was established to specifically address the impact of data processing advancements and computer technology on individual privacy concerning personal data. Its primary role is to advise the Commissioner on relevant matters pertaining to the evolving landscape of data processing, and updating the Commissioner’s understanding on the importance of protecting individuals' privacy rights in the times of rapid technological advancements.

The PDPAC and SCTD play crucial roles in advising the Privacy Commissioner, enabling the formulation of informed policies and practices that align with the evolving nature of personal data privacy and technological advancements.

List of Privacy Commissioners for Personal Data

 * 1) Stephen Lau Ka-man (1 August 1996 – 31 October 2001)
 * 2) Raymond Tang Yee-Bong (1 November 2001 – 31 July 2005)
 * 3) Roderick Woo Bun (1 August 2005 – 31 July 2010)
 * 4) Allan Chiang Yam-wang (1 August 2010 – 3 August 2015)
 * 5) Stephen Wong Kai-yi (4 August 2015 – 3 September 2020)
 * 6) Ada Chung Lai-ling (since 4 September 2020)

Development
The development of The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong can be traced back to the enactment of the Personal Data (Privacy) Ordinance (PDPO) in 1995, which aimed to regulate the collection, use, and disclosure of personal data by individuals and organisations.

The PDPO was a significant milestone in the development of privacy protection in Hong Kong. It established a legal framework for the protection of personal data and set out the responsibilities of data users and data subjects. However, it lacked an independent regulatory body to oversee and enforce compliance with the ordinance. Recognizing the need for an independent authority to enforce the PDPO, upon the enactment of the Personal Data (Privacy) Ordinance (PDPO), the PCPD was established under section 5(1) of the Ordinance. The PCPD was given the power to investigate complaints, issue enforcement notices, and promote compliance with the PDPO. It operates independently from the government and is accountable to the Privacy Commissioner, who is appointed by the Chief Executive. Over the years, the PCPD has undergone evolutions and developments to keep up with the emerging challenges in the contemporary complex society.

One prominent development would be the amendments to the PDPO. There have been discussions on amending the law to better personal data protection within the territory. The amended ordinance took effect in late 2021, namely the Personal Data (Privacy) (Amendment) Ordinance (PDPAO). The PDPAO differentiated itself from the PDPO by the main feature of criminalising doxxing acts (i.e. to openly expose someone’s private personal data such as name, address and occupation). Section 64(3A) of the amended ordinance reads, “A person commits an offence if the person discloses any personal data of a data subject without the consent of the data subject...”.

The scope of the PCPD was therefore expanded in the sense that it was empowered to investigate criminal activities including doxxing, as well as the authority to initiate legal proceedings for prosecution for the related offences. In addition, the Privacy Commissioner was also granted the statutory powers to ensure the cessation of sharing doxxing messages. Under the Amendment Ordinance, the PCPD is given new criminal investigation and prosecution powers to handle doxxing cases on a “one-stop” basis from criminal investigation to collection of evidence and prosecution.

To catch up with the global evolving privacy landscapes, the PCPD also engaged in international privacy-related initiatives. For instance, the PCPD participates in the Data Privacy Subgroup under the Digital Economy Steering Group which concerns cross-border transfers of information; the PCPD also actively participated in forums convened by members of the Asia Pacific Privacy Authorities, discussing and sharing a wide range of issues related to privacy and security. These engagements allow the PCPD to develop into a more comprehensive body via the exchange of ideas and knowledge, so that it could better contribute to the development of privacy policies and standards both inside and outside Hong Kong.

Literature review
With a similar global status where Hong Kong and Singapore are both highly developed Asian financial hubs renowned for their well-developed economies, consummate infrastructure, and favourable business environments, the privacy laws are slightly different between the two.

Whereas the privacy law in Hong Kong is governed by the PDPO as previously mentioned, the authority in Singapore would be the Personal Data Protection Act (PDPA). In compliance with the PDPA, the Personal Data Protection Commission (PDPC) as the enforcement body (similar to the PCPD). It governs the collection, use, disclosure and care of personal data in Singapore (Chesterman, 2012).

The main differences lie in their enforcement. The way and nature of deterrence is found very distinct between Hong Kong and Singapore. Non-compliance in Hong Kong would result in criminal offences charged and monetary fines, illustrated in section 64(3B) of the PDPO, “A person who commits an offence under subsection (3A) is liable on conviction to a fine at level 6 and to imprisonment for 2 years”. For the case in Singapore, the penalty is more inclined to the administrative aspect. Section 48I sets out the directions for non-compliance, which is to “give the organisation or person (as the case may be) any direction that the Commission thinks fit in the circumstances to ensure compliance with that provision”. It is more lenient and flexible compared to that in Hong Kong.

The Personal Data (Privacy) Amendment Ordinance 2021
The proposal of the Amendment Bill is to address the issue of invasive doxxing acts that violate personal data privacy by making doxxing acts a criminal offence and empowering the Commissioner with statutory power to issue cessation notices, which require the immediate cessation or limitation of the disclosure of doxxing content. However, the amendment was criticised for giving excessive power to the PCPD such as the power to initiate criminal investigation and power to prosecute. The Asian Internet Coalition (AIC), an industry association of leading Internet and technology companies in the Asia Pacific region, expressed its concern that the ambiguous definition of “doxxing acts”:

“The definition of “doxxing acts” in the proposed amendments creates problematic ambiguity - in particular, given that at present there is no universally accepted or acknowledged definition for “doxxing”, this gives rise to legitimate concerns that “doxxing” in the proposed amendments could have an overly broad interpretation such that even innocent acts of sharing of information online could be deemed unlawful under the PDPO.”

AIC also suggested the proposed anti-doxxing provision did not consider legitimate situations where personal data may be disclosed without the data subject's consent, e.g. disclosing personal data for public interests.

Anonymous Open Letter by the Staff of the PCPD
In 2019, An anonymous open letter was issued by people claiming to be the staff of the PCPD to express views regarding the social incidents. In response to the letter, the PCPD issued a statement.

2010 Octopus sold personal data of customers for HK$44m
In 2010, it was reported that Octopus Card issuer has made HK$44 million in the past $4 1/2$ years by selling cardholder data. This was disclosed in a special hearing conducted by the personal data privacy commissioner. Octopus Holdings chief executive Prudence Chan Bik-wah said she wished to 'sincerely apologise' to affected cardholders.

2010 Six banks transfer personal data for marketing purposes
In August 2010, the Hong Kong Monetary Authority publicly disclosed that CITIC Bank International, Citibank, Fubon Bank, Industrial and Commercial Bank of China, Wing Hang Bank, and Wing Lung Bank were guilty of transferring customer data to unaffiliated parties for marketing purposes. In a separate investigation, the privacy commissioner for personal data concluded that the actions of some of the banks were equivalent to the sale of personal data.

2017 Notebooks containing HK voters data was stolen
The Registration and Electoral Office reported in March 2017, right after the chief executive election, that they have lost 2 laptop computers containing 3.7 million voters personal information. This could be one of the most significant data breaches ever in Hong Kong, consider the city population is less than 8 million.

HK Leaks
Since 2019, a website called HK Leaks has published personal information on more than 2,000 pro-democracy figures. When asked in August 2021 about if the site violated any laws, the PCPD said it would not comment on individual cases, and repeated the same response in May 2023.

To My Nineteen Year Old Self
In 2023, this documentary “To My Nineteen Year Old Self” was allegedly in violation of students’ consent for filming the documentary. The Privacy Commissioner for Personal Data, Ms. Ada Cheung Lai Ling stated that PCPD has contacted the school for further information. She also said that according to the Personal Data (Privacy) Ordinance, if the purpose for the collected data has changed, consent should be obtained from the data subject. Data subject also has the right to withdraw the consent that he or she has given. In the media statement of the PCPD in response to this incident, the PCPD has not received any complaint or inquiry concerning the incident.

Personal Data Breach Incidents of the Registration and Electoral Office
In 2022, two personal data breach incidents involving the Registration and Electoral Office (REO) were investigated by the PCPD. In the first incident, a staff member of the REO mistakenly sent files containing the data of around 15,000 electors to an unknown recipient. The PCPD stated that this incident was mainly due to human errors.

In the second incident, the REO attached a reply slip containing personal data of an Election Committee (EC) member and their assistant (names, email addresses and phone numbers) to an email sent to 38 EC members and 26 assistants. After investigation, the PCPD concluded that this incident was also due to human errors. According to the Privacy Commissioner, Ms Ada CHUNG Lai-ling, these two incidents revealed that REO has not taken practicable steps to ensure that personal data was protected from unauthorised or accidental access, processing, erasure, loss or use, therefore contravening the DPP4(1) concerning the security of personal data under the Personal Data (Privacy) Ordinance.

Prohibition on Face Covering Regulation
In response to the concerns raised by the prohibition on face covering, the PCPD stated that the Prohibition on Face Covering Regulation was not in conflict with the Personal Data (Privacy) Ordinance with reason that the rights of the suspects would not override the public interests for the timely and effective prevention, detection, and apprehension or prosecution of the police. The PCPD suggested that the privacy rights can also be restricted by public order and national security concerns.

Tightening Search Arrangement
In 2021, the Hong Kong government proposed to tighten company search, including that the residential address and identification number of directors and company secretaries would not be accessed by the public, that the search requires personal identification information such as name and HKID number and that the individual registered vehicle owner will be notified by the search for vehicle registration in the Transport Department.

The PCPD stated that the tightening arrangement by the Transport Department was not problematic from the perspective of Persona Data (Privacy) Ordinance. In response to the several measures by the government to tighten search arrangements, The Privacy Commissioner for Personal Data, Ms. Ada Cheung Lai Ling stated that whether the restriction was proportionate depends on the purposes of the search arrangements.

Lack of Deterrence
During 2022-2023, more than a thousand of cessation notices were sent to 28 online platforms. Most of them were operated by overseas service providers, requesting the removal of nearly 20,000 doxxing messages. Although the compliance rate for removing these messages was high, it took a long time to request the service providers to delete them. Even if the content is deleted, the victim has been harmed for a long time.

The maximum fine of HK$50,000 and a prison sentence of up to 2 years was introduced in 1996. However, it is widely believed that the effectiveness of this penalty in deterring offenses is relatively low. Privacy Commissioner Chung Lai Ling stated in an interview that the principle of the Privacy Ordinance is voluntary and clear. If the company notifies the customers that their personal data will be transferred and states the purpose of use, the situation is legal. The incidents that occurred before were just independent events. However, she believes that the deterrent effect is no longer enough, and the PCPD is cooperating with the government to review the relevant penalties.