Cybersecurity and Data Protection Overview – Hong Kong

What is the governing legislation?

Financial institutions should also be aware of cybersecurity guidance and regulations that are issued by the relevant regulatory authorities from time to time. These include:

What are the offences?

Cybercrime Offences

Provision Source
Obtaining unauthorised access to a computer by telecommunications Telecommunications Ordinance, s.27A
Misusing a computer, including causing it to function other than it ought to, altering or removing data, or adding any program or data Crimes Ordinance, ss. 59 and 60

Theft Ordinance, s. 11

Falsifying bank records or effecting an unauthorised transfer of any deposit or stock by hacking Crimes Ordinance, s. 85
Using a computer with criminal or dishonest intent Crimes Ordinance, s. 161
Falsifying, destroying, defacing, or concealing records or documents made for an accounting purpose Theft Ordinance, s. 19

Data Protection Offences

Provision Source
Using personal data for direct marketing without the data subject’s consent Personal Data (Privacy) Ordinance, s. 35C, s. 35E
Failing to inform the data subject when using their data for the first time for direct marketing Personal Data (Privacy) Ordinance, s. 35F
Continuing to use personal data in direct marketing after the data subject has requested the data user to cease doing so Personal Data (Privacy) Ordinance, s. 35G
Providing personal data to a third party for direct marketing without the data subject’s consent Personal Data (Privacy) Ordinance, s. 35J, s. 35K
Failing to notify a third party using personal data for direct marketing that the data subject has requested the cessation of such usage Personal Data (Privacy) Ordinance, s. 35L
Failure by a third party user of data in direct marketing to comply with a notice from a data user that the data subject has requested the cessation of such usage Personal Data (Privacy) Ordinance, s. 35L
Continuing to provide personal data to a third party for direct marketing purposes contrary to the data user’s request that such usage cease Personal Data (Privacy) Ordinance, s. 35L
Disclosing personal data without the person’s consent for financial gain, or to inflict financial loss on the person Personal Data (Privacy) Ordinance, s. 64(1)
Disclosing personal data without the person’s consent which causes psychological harm to the person Personal Data (Privacy) Ordinance, s. 64(2)
Breach of an enforcement notice issued by the Privacy Commissioner Personal Data (Privacy) Ordinance, s. 50A
Obstructing, hindering, or resisting the Privacy Commissioner’s exercise of its powers, failing to comply with a requirement of the Privacy Commissioner, or knowingly misleading the Privacy Commissioner Personal Data (Privacy) Ordinance, s. 50B
Without reasonable excuse, contravening any other provision of the Personal Data (Privacy) Ordinance Personal Data (Privacy) Ordinance, s.64A

 

Data Protection Principles

In addition, the Personal Data (Privacy) Ordinance (Cap. 486) sets out six data protection principles which data holders must comply with. Click here for more information.

What are the defences/exceptions?

A defence in respect of breaches of the Personal Data (Privacy) Ordinance will exist where:

  • Disclosure is made to uphold the security, defence, or international relations of Hong Kong
  • Disclosure is made for the purpose of crime prevention, assessment or collection of tax, or by financial regulators to protect the public from financial loss or to maintain the stability of the financial system
  • The disclosure is necessary to avoid serious harm to someone’s physical or mental health
  • The disclosure pertains to the care and guardianship of a minor, is in the minor’s interests, and is necessary to ensure the minor’s proper care and guardianship
  • The disclosure is made in connection with legal proceedings in Hong Kong or to establish, exercise, or defend legal rights in Hong Kong
  • The disclosure is for the purpose of a due diligence exercise conducted in connection with a proposed business transaction
  • The disclosure is made under a reasonable belief that:
    • The disclosure was necessary for the purpose of preventing or detecting crime;
    • The disclosure was required or authorised by an enactment, rule of law, or court order; or
    • The data subject consented to the disclosure
  • The disclosure is for the purpose of a news activity and there are reasonable grounds to believe that the publication or broadcast is in the public interest

There are also circumstances where a data user has no obligation to accede to the request of a data subject for disclosure of information which the data user holds about the data subject. Examples include data held by the judiciary in the course of performing judicial functions and data held for recreational purposes or related solely to management of one’s personal, family, or household affairs;

What are the penalties?

The maximum penalties vary widely between the various cybersecurity statutes depending on the nature of the offence. For example, the maximum penalty for obtaining unauthorised access to a computer is HK$25,000, whilst the maximum penalty for hacking into a bank’s computer system to falsify accounts is life imprisonment.

Civil claims

Companies must also be mindful of their potential exposure to civil claims from parties affected by damage to, disclosure or loss of data. Potential claims may be made for breach of confidence; breach of contract; or in tort for negligence.

In addition, where a breach of the Personal Data (Privacy) Ordinance is concerned, the Privacy Commissioner has the power to commencement enforcement proceedings of its own volition, or to provide legal assistance (including giving legal advice and arranging for legal representation) to aggrieved persons to pursue their claims under the Ordinance against a party in breach thereof.

%d bloggers like this: