5 things you need to know about Hong Kong personal data protection in 2016


On 24th January 2017, Mr. Stephen Kai-yi Wong, the Privacy Commissioner for Personal Data (the “PCPD”) provided an overview of the PCPD’s work and personal data protection trends in 2016. Below is all you need to know about last year’s figures, notable cases and hottest issues.

1.  Less complaints means better compliance in the market?

In 2016, the PCPD received 1,838 complaints. That represents a 7% decrease from the 1,971 complaints they received in 2015. The private sector continues to receive the most complaints (73% – 1,335 cases), while individuals received 332 complaints (18%) and the public sector and government departments received 171 complaints (9%). The increasing corporate and social awareness of personal data privacy is certainly one of the main contributory factors in reducing the complaint numbers.

2. Does your industry practise attract more complaints?

Among the private sector, the financial industry received the most complaints in 2016 (389 cases). The property management sector came second with 264 cases and followed by the telecommunications industry with 71 cases. These industries should pay particular attention in (i) avoiding using the personal data without the consent of data subjects, and (ii) ensuring the personal data is collected in a lawful and fair manner for purposes that are directly related to the companies’ business function, as these two grounds alone add up to 82% of the total complaints made in 2016.

3. Direct Marketing remains the biggest personal data protection problem

In 2016, the PCPD received a total of 393 complaints related to direct marking. This represents a substantial increase of 22% comparing to the 322 complaints received in 2015. Moreover, out of the 112 cases the PCPD referred to the Police for criminal investigations and prosecutions in 2016, 109 of them were related to contraventions involving the use of personal data in direct marketing. There were in total 3 convictions in relation to direct marketing in 2016. While an insurance agent was handed a community service order of 80 hours, a marketing company and a watch company was each fined HK$ 8,000 for each charge and both fined for a total of HK$ 16,000. Even though the number of general personal data protection complaints show encouraging signs of improvements, there is still a lot of work to do to promote good direct marketing practises.

4. CCTVs, webcams and drones bring convenience but also privacy problems  

The PCPD took great notice of the increasing use of CCTVs for commercial and residential premises. While CCTVs do address certain security problems (e.g. theft, domestic violence, personal injury cases etc.), they also give rise to various personal data protection issues, for example what are the appropriate places for CCTV installation, how long should the videos be kept for and how do you obtain the data subject’s consent.

Most notably, there was a well-known case last year reported to the PCPD where a taxi driver posted on a social media website a photo of a passenger breastfeeding her baby taken by the CCTV installed in the taxi. While that case drew much public controversy, the PCPD could not start an investigation since the mum’s identity could not be ascertained.

Drones and webcams are also very popular, and in 2016, the PCPD handled a special case where an artist staged an exhibition in London which featured images captured from unsecure webcams in Hong Kong. The PCPD reported the incident to the Information Commissioner’s Office in the UK for follow up, and the artist eventually agreed to blur the faces of the people in the webcam images and ceased selling prints of those images.

5. Smart personal devices becoming too smart and personal?

One of the key challenges that the PCPD are facing is the full integration of smart devices into our lives. Mobile applications are collecting more in-depth personal data, and the amusement and convenience that they bring become more and more irresistible. While the common advice to the users is to read the terms and conditions carefully before installing the applications, the reality is that they are usually lengthy and hard to understand, and more importantly, the users are more willing to pay the price of losing their privacy than being left out by peers for not installing these mobile applications.

The best example in 2016 is the Pokémon-Go fever. Even though the location-based augmented reality game collects a great deal of highly sensitive personal data by requiring the players to activate their location and camera function, it was apparent that the public took little notice or interest in this issue, and went ahead with installing and participating in the hugely popular game.

From a privacy point of view, this is just the tip of the iceberg, and we expect a lot more controversial and huge scale personal data collection from different mobile applications in the future as we enter the “Big Data” and “Internet of Things” era.

Authors:   Alan Chiu, Managing Partner (

                  James Choi, Associate (

Date:        1 February, 2017

© Ella Cheong & Alan Chiu, Solicitors & Notaries 2017. All rights reserved.