Hong Kong protestors “in breach of data privacy law”
24 July 2019
Revealing officials’ personal data in protest against the proposed “Extradition Bill” was a breach of the Personal Data (Privacy) Ordinance.
Background
During the protests in Hong Kong against the now shelved “Extradition Bill”, protestors allegedly displayed the personal data of police officers, government officials and legislators in public places around Hong Kong and on social media as a tactic to cause embarrassment to the supporters of the bill.
In response to this, the Hong Kong Privacy Commissioner for Personal Data (the “PCPD”) issued two public statements on 11 and 19 July 2019 dealing with the legal implications of this use of other people’s personal data.
The law
If personal data is collected and disclosed for the purpose of bullying, incitement and intimidation, it will be illegal because it contravenes the data protection principles set out in the Personal Data (Privacy) Ordinance (“PDPO”), as well as other relevant laws. The PCPD may serve an enforcement notice to direct a data user to remedy the contravention. If the data user fails to remedy the contravention, this would constitute an offence and could result in a maximum fine of HK$50,000 and imprisonment for 2 years.
In addition, a person may commit an offence under section 64(2) of the PDPO if he or she discloses a data subject’s personal data without the latter’s consent and the disclosure causes the data subject psychological harm. The offence may attract a maximum fine of HK$1,000,000 and imprisonment for 5 years. In such circumstances, criminal investigations will be carried out by the police and the Department of Justice will decide whether to prosecute.
Implications
Hong Kong’s data privacy laws may not be as developed as those in Europe and other jurisdictions but they can certainly pack a punch when contravened. And parts of the PDPO impose strict liability, for example, there is no need to prove any intention of the data user when considering an offence under section 64(2) of the PDPO. Employers should ensure they have data privacy policies in place which set out how they will use employee data. They should also warn employees against misusing (by unauthorised disclosure or otherwise and whether or not on social media) any personal data of colleagues and clients they come across in their work.
Related items
Related services
Asia Pacific (APAC) 亞太區
We have been operating in the Asia Pacific for many years, working with our clients as they expand and develop their businesses in the region, and as they seek to do business in Europe and the UK.