Cybersecurity and Data Protection Overview – Hong Kong
What is the governing legislation?
- Crimes Ordinance (Cap. 200)
- Personal Data (Privacy) Ordinance (Cap. 486)
- Telecommunications Ordinance (Cap. 106)
- Theft Ordinance (Cap. 210)
Financial institutions should also be aware of cybersecurity guidance and regulations that are issued by the relevant regulatory authorities from time to time. These include:
- HKMA Circular – Cyber Security Risk Management (15 September 2015)
- SFC – Circular to all Licensed Corporations on Cybersecurity (23 March 2016)
What are the offences?
|Obtaining unauthorised access to a computer by telecommunications||Telecommunications Ordinance, s.27A|
|Misusing a computer, including causing it to function other than it ought to, altering or removing data, or adding any program or data||Crimes Ordinance, ss. 59 and 60
Theft Ordinance, s. 11
|Falsifying bank records or effecting an unauthorised transfer of any deposit or stock by hacking||Crimes Ordinance, s. 85|
|Using a computer with criminal or dishonest intent||Crimes Ordinance, s. 161|
|Falsifying, destroying, defacing, or concealing records or documents made for an accounting purpose||Theft Ordinance, s. 19|
Data Protection Offences
|Using personal data for direct marketing without the data subject’s consent||Personal Data (Privacy) Ordinance, s. 35C, s. 35E|
|Failing to inform the data subject when using their data for the first time for direct marketing||Personal Data (Privacy) Ordinance, s. 35F|
|Continuing to use personal data in direct marketing after the data subject has requested the data user to cease doing so||Personal Data (Privacy) Ordinance, s. 35G|
|Providing personal data to a third party for direct marketing without the data subject’s consent||Personal Data (Privacy) Ordinance, s. 35J, s. 35K|
|Failing to notify a third party using personal data for direct marketing that the data subject has requested the cessation of such usage||Personal Data (Privacy) Ordinance, s. 35L|
|Failure by a third party user of data in direct marketing to comply with a notice from a data user that the data subject has requested the cessation of such usage||Personal Data (Privacy) Ordinance, s. 35L|
|Continuing to provide personal data to a third party for direct marketing purposes contrary to the data user’s request that such usage cease||Personal Data (Privacy) Ordinance, s. 35L|
|Disclosing personal data without the person’s consent for financial gain, or to inflict financial loss on the person||Personal Data (Privacy) Ordinance, s. 64(1)|
|Disclosing personal data without the person’s consent which causes psychological harm to the person||Personal Data (Privacy) Ordinance, s. 64(2)|
|Breach of an enforcement notice issued by the Privacy Commissioner||Personal Data (Privacy) Ordinance, s. 50A|
|Obstructing, hindering, or resisting the Privacy Commissioner’s exercise of its powers, failing to comply with a requirement of the Privacy Commissioner, or knowingly misleading the Privacy Commissioner||Personal Data (Privacy) Ordinance, s. 50B|
|Without reasonable excuse, contravening any other provision of the Personal Data (Privacy) Ordinance||Personal Data (Privacy) Ordinance, s.64A|
Data Protection Principles
What are the defences/exceptions?
A defence in respect of breaches of the Personal Data (Privacy) Ordinance will exist where:
- Disclosure is made to uphold the security, defence, or international relations of Hong Kong
- Disclosure is made for the purpose of crime prevention, assessment or collection of tax, or by financial regulators to protect the public from financial loss or to maintain the stability of the financial system
- The disclosure is necessary to avoid serious harm to someone’s physical or mental health
- The disclosure pertains to the care and guardianship of a minor, is in the minor’s interests, and is necessary to ensure the minor’s proper care and guardianship
- The disclosure is made in connection with legal proceedings in Hong Kong or to establish, exercise, or defend legal rights in Hong Kong
- The disclosure is for the purpose of a due diligence exercise conducted in connection with a proposed business transaction
- The disclosure is made under a reasonable belief that:
- The disclosure was necessary for the purpose of preventing or detecting crime;
- The disclosure was required or authorised by an enactment, rule of law, or court order; or
- The data subject consented to the disclosure
- The disclosure is for the purpose of a news activity and there are reasonable grounds to believe that the publication or broadcast is in the public interest
There are also circumstances where a data user has no obligation to accede to the request of a data subject for disclosure of information which the data user holds about the data subject. Examples include data held by the judiciary in the course of performing judicial functions and data held for recreational purposes or related solely to management of one’s personal, family, or household affairs;
What are the penalties?
The maximum penalties vary widely between the various cybersecurity statutes depending on the nature of the offence. For example, the maximum penalty for obtaining unauthorised access to a computer is HK$25,000, whilst the maximum penalty for hacking into a bank’s computer system to falsify accounts is life imprisonment.
Companies must also be mindful of their potential exposure to civil claims from parties affected by damage to, disclosure or loss of data. Potential claims may be made for breach of confidence; breach of contract; or in tort for negligence.
In addition, where a breach of the Personal Data (Privacy) Ordinance is concerned, the Privacy Commissioner has the power to commencement enforcement proceedings of its own volition, or to provide legal assistance (including giving legal advice and arranging for legal representation) to aggrieved persons to pursue their claims under the Ordinance against a party in breach thereof.