Disclosing personal data in Hong Kong without data subjects' consent

• Published in: International data privacy law Vol. 4; no. 3; pp. 235 - 242
• Main Author: Churk, S. S.
• Format: Journal Article
• Language: English
• Published: Oxford Oxford Publishing Limited (England) 01.08.2014
• Subjects: Consent; Consumer protection; Data mining; Enforcement; International law; Personal information; Principles; Privacy; Right of privacy; Scandals; Students; Studies; Hong Kong China; China
• ISSN: 2044-3994; 2044-4001
• DOI: 10.1093/idpl/ipu006

This paper evaluates the effectiveness of Hong Kong's Personal Data (Privacy) Ordinance (Cap 486) in protecting personal data from being disclosed without the consent of the data subject. Following a scandal involving a large-scale sale of customers personal data by a cash card company, which suffered no legal consequences because their action constituted no criminal offence at that time, the Ordinance was amended in 2012 and disclosing personal data obtained from a data user without the data users consent was made an offence under the new s64. Before the introduction of s64, the disclosure of personal data was only regulated under Data Protection Principle 3 of the Ordinance (which is still in operation today) as a form of use of personal data. The rest of this paper will be an analysis of s64 and Data Protection Principle 3. The second section introduces Hong Kong's legal regime governing the disclosure of personal data. The next section argues that s64 is too poorly drafted and full of loopholes to be of any practical effect. As a result, at the time of writing the disclosure of personal data continues to be governed primarily by Data Protection Principle 3, the violation of which is not itself an offence. Although the Ordinance is not effective in criminalizing disclosure of data, the final section of the paper proposes that Data Protection Principle 3, when properly applied, may provide a certain degree of protection for personal data.