Digital business in Hong Kong: overview
A Q&A guide to digital business in Hong Kong.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
There are no specific laws governing the online conduct of business activities under Hong Kong legislation; however, there are a number of laws that regulate general commercial practices in Hong Kong and are therefore relevant to online business activities. These laws include:
Trade Descriptions Ordinance (Cap. 362), which prohibits unfair practices conducted by businesses, including misleading actions or omissions, aggressive commercial practices and bait advertising.
Unconscionable Contracts Ordinance (Cap. 458), which provides consumer protection in contracts for supply of services or sale of goods that are unconscionable; these contracts are set aside, altered or partially enforced.
Consumer Goods Safety Ordinance (Cap. 456), which provides that consumer goods must comply with approved and general safety standards or specifications.
Personal Data (Privacy) Ordinance (Cap. 486), which regulates the use and processing of personal data, including online processing or collection of personal data and direct marketing activities.
Unsolicited Electronic Messages Ordinance (Cap. 593), which regulates the sending of unsolicited electronic messages for promotional or marketing purposes, including by voice, text, image or video message, fax or e-mail.
Electronic Transaction Ordinance (Cap. 553), which recognises electronic records having legal effect for the purposes of Hong Kong law and regulates the use of electronic and digital signatures.
Payment Systems and Stored Value Facilities Ordinance (Cap. 584), which regulates stored value facilities and retail payment systems that become increasingly relevant when it comes to digital and electronic payment services.
Misrepresentation Ordinance (Cap. 284), which provides for statutory remedies relating to fraudulent, negligent and innocent misrepresentation.
Ordinances in Hong Kong are generally passed by the legislature of Hong Kong (Legislative Council).
Some ordinances also authorise specific government departments to publish subsidiary regulations to give effect to provisions of the main ordinances. For example, the Secretary for Commerce and Economic Development can amend the scope of exempted persons or products under the Trade Descriptions Ordinance and can make regulations for safety standards for consumer goods under the Consumer Goods Safety Ordinance.
Setting up a business online
The first step is to consider whether to set up a local presence, for example, a Hong Kong subsidiary company or registered non-Hong Kong company.
There is no requirement under Hong Kong law that a company must first set up a presence in Hong Kong for its online business before the services and products to which the online business relates can be provided to people or businesses in Hong Kong.
If the business wants a presence in Hong Kong and sets up a Hong Kong entity, it usually takes the form of a limited liability company, which can be established by setting up a new company (takes six to eight working days) or by acquiring a shelf company for immediate use (takes three to four working days).
Specific operating permits
The next key step is to determine if the proposed online business needs specific operating permits or approvals.
An online business usually contracts with the following third parties:
Domain name registrar: a domain name registration agreement sets out the terms of a licence to use a domain name granted by the domain name registrant (see Question 24).
Website developer: a website development agreement should address the online business's requirements on the performance, functionality, security and visual design of the website, maintenance obligations, and the ownership of intellectual property rights (for example, in the design of the web pages and underlying software).
Internet service provider: website hosting agreements should address the uploading, storage, security, maintenance or support of the website, the specification of the server, and service levels or minimum availability requirements of the hosting services.
Businesses generally enter into app development agreements with software companies (app developers). Agreements should include the necessary software and content licences required to develop or distribute the app. They should also include details on the ownership of intellectual property rights in any newly created or modified content or software.
Generally, businesses distribute apps through app store providers (for example, Apple, Google and Microsoft, which are the largest app store providers and their agreements are publicly available on their websites). Businesses enter into End User Licence Agreements, which provide the terms and conditions that end users must accept in order to download and use apps. Businesses also enter into agreements with providers of third party payment services for distribution of apps and services provided by businesses to end users and customers.
Running a business online
To form a valid electronic contract, the following elements are required: offer, acceptance, consideration, and intention to create legal relations. When contracting online, business should particularly consider offer and acceptance and the incorporation of terms.
Offer and acceptance
For a business to have control over the terms of the contract, a website's terms and conditions usually state that:
By completing an online form or order, the customer is making an offer.
When the business receives the order it will communicate its acceptance of the customer's offer (for example by sending an e-mail confirmation, displaying an acknowledgement on its website, or by delivering the goods ordered).
Incorporation of terms
The terms of the contract must be sufficiently brought to the attention of the customer before the contract is made. If not, the standard terms of the business will not be successfully incorporated into the contract. In practice, the most effective way is to design the website so that the customer must scroll down to the bottom of the entire set of terms and conditions on-screen and click an "I accept" button (or similar) before he can complete the order.
Consideration and intention to create legal relations
In addition, the intention to create legal relations is normally presumed for most online contracts due to the commercial nature of these transactions.
Click-wrap, browse-wrap and shrink-wrap contracts
To the extent that any click-wrap, browse-wrap and shrink-wrap contracts have the four elements outlined above, these contracts are enforceable under Hong Kong law.
The Electronic Transaction Ordinance (ETO) provides that the ETO does not apply to certain contracts, for example, assignments of interest in land. These contracts cannot be contracted validly electronically and must be prepared and executed in the traditional paper-based manner. See Question 8.
Business-to-business (B-2-B) contracts
There are no specific statutory provisions regulating online contracting activities. Generally, therefore, businesses should comply with general contract law and all relevant statutory requirements that apply to online contracting. The ordinances that are applicable include, for example, the Electronic Transaction Ordinance, the Misrepresentation Ordinance, the Sale of Goods Ordinance (Cap. 26), the Supply of Services (Implied Terms) Ordinance (Cap. 457) and the Control of Exemption Clauses Ordinance (Cap. 71) (CECO).
Businesses supplying goods or services online must comply with the law applicable to B-2-B contracts (some of which cannot be contracted out when dealing with consumers) (see above, Business-to-business (B-2-B) contracts). They must also comply with additional consumer-specific statutory control, in particular under the Unconscionable Contracts Ordinance (UCO) and certain provisions in the CECO.
If the court regards a contract or any part of the contract as unconscionable at the time the contract was made, the court may (UCO):
Refuse to enforce the contract.
Enforce the remainder of the contract (without the unconscionable part).
Alter any unconscionable part.
When determining whether a contract or a part of it is unconscionable the court considers, among other things, the relative bargaining positions of the consumer and the business at the time when the contract was made, and whether the terms and conditions were sufficiently drawn to the consumer's attention.
Hong Kong law recognises most contracts that are formed electronically.
However, there are exceptions for certain types of contracts under Schedule 1 of the Electronic Transaction Ordinance (Cap. 553). For instance, deed or documents relating to land charges under the Conveyancing and Property Ordinance (Cap. 219) must be executed with a handwritten signature and must not be stored in electronic form.
There are no official government accreditations for websites; however, some accreditations may be of interest to website providers, for example:
e-Cert, which is a digital certificate issued by the Hong Kong Post Office and other certification authorities recognised by the Government Chief Information Officer under the Electronic Transaction Ordinance. This is for secure online identification and supporting the validity of digital signatures (see Question 12).
ISO/IEC 27001, which is the international standard for information security management that is adopted by a number of IT service providers in Hong Kong.
Remedies available for breach of an electronic contract are the same as those remedies available for breach of any other types of valid contracts, such as claiming for damages or seeking for specific performance (that is, a court order requiring a party to perform its contractual obligations).
E-signatures are recognised under Hong Kong law.
The use of electronic signatures is governed by the Electronic Transaction Ordinance (ETO).
Definition of e-signatures
An "electronic signature" is "any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record" (ETO).
The ETO also recognises "digital signatures" as a form of electronic signature. A "digital signature" is, in relation to an electronic record, "an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine" (ETO). This applies both in transformations generated by a private key corresponding to the signer's public key and where the initial electronic record was changed after the transformation was generated (ETO).
Application of electronic signatures and digital signatures
For transactions where all parties are non-governmental entities, signatories can agree to use electronic signatures or digital signatures.
For transactions that involve government entities, signatories must use digital signatures (supported by a recognised certificate issued by a certification authority).
Requirements of a valid electronic signature
An electronic signature is valid where (ETO):
The signatory attaches or associates the electronic signature with an electronic record for the purpose of identification and indicating the authentication or approval of the information in the electronic record.
Any method used by the signatory is reliable, and is appropriate, for the purpose for which the information contained in the document is communicated.
The person to whom the signature is given consents to the use of such method.
Hong Kong law recognises electronic signatures for the purpose of most contracts. However, there are certain exceptions that require handwritten signatures under Schedule 1 of the Electronic Transaction Ordinance, such as: testamentary documents, certain trust documentation, documents concerning land and property transactions, and powers of attorney.
Implications of running a business online
Cyber security/privacy protection/data protection
The collection or use of personal data is regulated by the Personal Data (Privacy) Ordinance (PDPO). The PDPO applies to data users in both the public and private sectors. A "data user" is a person who, "either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data" (PDPO).
The Personal Data (Privacy) Ordinance (PDPO) regulates "personal data", which means any data relating directly or indirectly to a living individual. It must be possible that the individual's identity can be directly or indirectly ascertained from the data. The data must also be in a form that makes access to or processing of the data practicable.
For activities conducted by online businesses, "personal data" (for PDPO purposes) is likely to be either:
Information held or intended to be held in a computerised system.
Information held in non-automated records that are structured in a way that enables access to information relating to living individuals.
The Personal Data (Privacy) Ordinance (PDPO) prohibits the collection and use of personal data unless proper notification is given to the individual. Notification includes the purpose of processing, classes of persons to whom data is transferred, and whether it is obligatory or voluntary for the person to supply the data. Personal data must be collected by lawful and fair means, for a purpose directly related to a function or activity of the data user, and the data collected should be necessary and not excessive (PDPO).
There are no specific limitations on the storage of personal data in the cloud under the PDPO. However, if businesses engage data processors to undertake data processing (which could cover cloud storage), they must ensure that the data processors comply with certain obligations (for example, not to keep personal data longer than necessary and to prevent unauthorised access or loss) (PDPO).
Online businesses relating to or concerning a sector or an industry that is subject to additional regulatory control on outsourcing (for example, insurance and banking), and that engage cloud service providers for storage purposes, trigger additional regulatory requirements: including, for example, the requirement that the cloud storage arrangement is vetted by the relevant regulator.
In the context of safeguarding the security of the personal data collected and used by the contracting companies and internet providers, Data Protection Principle 4 of the Personal Data (Privacy) Ordinance requires that data users must take all practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use. Businesses must ensure that measures providing an appropriate level of security are applied to internet transactions that involve the transmission of personal data.
If traders accept card payments from customers, it is likely that they will be required to ensure that their systems comply with generally accepted industry standards on data security. This is because a number of payment card scheme operators are subject to the Code of Practice for Payment Card Scheme Operators, a self-regulated compliance code monitored by the Hong Kong Monetary Authority, which requires the operations of payment card scheme operators to comply with industry accepted security standards.
Encryption is a common (but not mandatory) security measure used to protect personal data for the purposes of complying with Data Protection Principle 4 of the Personal Data (Privacy) Ordinance (PDPO). The Privacy Commissioner (enforcement body of the PDPO) recommended the use of encryption for electronic data for security purposes. The commissioner indicated that security measures must be proportionate to the degree of sensitivity and likely harm caused by the loss or unauthorised access of personal data.
The use of encryption is not prohibited in Hong Kong. However, the Import and Export Ordinance (Cap. 60) and the Import and Export (Strategic Commodities) Regulations (Cap. 60G)regulate the import and export of certain types of encryption software.
A number of public authorities and regulators have powers to access or compel disclosure of information, for example:
Section 43 of the Personal Data (Privacy) Ordinance provides that the Privacy Commissioner can be provided with any information or document from persons as he thinks fit for the purposes of any investigation.
The Inland Revenue Department can request information on any employee from an employer (for example, place of residence or full amount of remuneration) under section 52(2) of the Inland Revenue Ordinance (Cap. 112).
Under the Interception of Communications and Surveillance Ordinance (Cap. 589), the Customs and Excise Department, Hong Kong Police Force and the Independent Commission Against Corruption can apply for a prescribed authorisation from a panel of judges, in order to intercept any communications in a telecommunications system for the purposes of preventing crime or protecting public security.
The provision of payment services operated by banks, deposit-taking companies and payment card scheme operators and retail payment systems operators are subject to a number of regulations, including the framework provided under:
Banking Ordinance (Cap. 155).
Code of Banking Practice issued jointly by the Hong Kong Association of Banks and the Hong Kong Association of Restricted Licence Banks and Deposit-Taking Companies, and endorsed by the Hong Kong Monetary Authority (a non-statutory voluntary code).
Code of Practice for Payment Card Scheme Operators (see Question 18).
Payment Systems and Stored Value Facilities Ordinance.
In addition, if personal data is used for verification purposes or involved in the course of electronic payment, the website or the electronic payment operator must comply with the relevant security requirements under the Personal Data (Privacy) Ordinance.
There is no specific or express rule regulating websites which are aimed at children in Hong Kong. Under Hong Kong law, a person under the age of 18 is a minor, and there are certain limitations on the enforceability of contracts entered into with minors. General contract law will be relevant in determining if the contract is enforceable (see Question 7). A contract (for example, the website terms and conditions) entered into online with a minor will be enforceable only if the contract relates to "necessaries".
In relation to the personal data of a minor, and where consent is required in connection with the personal data (for example, the personal data is going to be used for a new purpose), and the minor is incapable of understanding the new purpose, the consent can only be given on the minor's behalf by a person having parental responsibility for that minor and if that person considers that it is in the minor's interest to permit such new use.
Linking, framing, caching, spidering and the use of metatags are subject to limitations set out by the general protection of intellectual property rights under Hong Kong law.
If the link circumvents any subscription, pay or other barriers imposed by the original content owner, providing the link may not be permissible if the linking constitutes a breach of a third party's exclusive rights under applicable intellectual property rights' law. Whether an infringement occurs depends on the material used and the use made of it.
In addition, if information is extracted from a third party's website, it is also necessary to ensure that the use is not in breach of the terms and conditions of that website.
There are no specific regulations on licensing of domain names under Hong Kong law.
General contract law principles therefore apply to regulate the relationship between the registrant of the domain name and the business for the use of a domain name.
If a domain name also includes a trade mark owned by the registrant, the licensing of the domain name (under the domain name registration agreement) must include the right to use a trade mark. Under the Trade Marks Ordinance (Cap. 559), the licence must be in writing and signed by the licensor (trade mark owner).
Any person can register a ".hk" domain; there is no residence requirement.
Domain names themselves do not confer any additional legal rights under Hong Kong law. However, certain common law rights can be developed through usage. A domain name can also be capable of being protected as a registered trade mark under Hong Kong law.
Registered trade mark
A registered trade mark must be registered in the Trade Marks Registry of the Hong Kong Intellectual Property Department for it to become a trade mark. It is possible to register domain names as trade marks if they meet the requirements for registration (and consequently the registered trade mark can also be subject to invalidation or revocation).
The use of a domain name may give rise to unregistered trade mark rights for the owner and user of the domain name if, over time, it acquires the attributes of a trade mark (that is, it distinguishes the goods or services of one undertaking from those of another undertaking). Use of a domain name by a business may give rise to unregistered trade mark rights and a business may establish a reputation in the domain name. If so, and a third party misrepresents a connection or affiliation with that domain name and as a result causes or is likely to cause damage to the business, that third party may be liable for committing an act of passing off.
Any company name identical to an existing company, or appearing on the Companies Registry's index of company names, must not be used to incorporate a Hong Kong limited liability company. A company name can be in English, Chinese or both. Businesses should search the register at the Companies Registry to ensure the proposed name of the company is not the same as, or similar to, a name that is already in use. The company name must also include the appropriate ending (for example, "Limited" or the equivalent Chinese characters). Company names (and changes to them) must be recorded at the Companies Registry as part of the company registration process.
Company names that imply a connection with the Hong Kong Government or the Central People's Government or a body of either government, or contain certain words and expressions prescribed by the Financial Secretary (for example, chamber of commerce, savings, trust or trustee), must be approved by the Companies Registry.
Jurisdiction and governing law
There are no differences between the rules that apply to internet transactions and for other disputes. The set of rules used to determine the jurisdiction in Hong Kong is based on common law principles.
Generally, methods of establishing jurisdiction are either:
The defendant submitting to the jurisdiction of the Hong Kong court.
Correct service of process within or outside the jurisdiction (for example, a writ or originating summons).
Even if a defendant is effectively served, the defendant can seek to challenge the court's jurisdiction by demonstrating that there is a more appropriate forum.
Businesses can generally agree the jurisdiction between themselves with a jurisdiction clause in the contract. However, specific rules (or exceptions to the above general principles) may apply in non-contractual disputes such as defamation or in cases concerning foreign intellectual property rights.
The general principles of Hong Kong law provide that the parties to an agreement are free to choose the law that governs that agreement, which is then the proper law of the contract.
Notwithstanding the choice of law, certain specific mandatory rules of the laws of Hong Kong may continue to apply, in particular statutory restrictions that apply to the parties' choice of law in a consumer contract (see for example section 17(2) of Control of Exemption Clauses Ordinance and section 7(2) of Unconscionable Contracts Ordinance).
If the parties did not choose a governing law, Hong Kong law provides that the law with which the contract has the closest connection should apply (factors to be considered can include the location of the subject matter or place of intended performance of the contract).
For non-contractual disputes relating to actions for torts in a Hong Kong court, the subject matter needs to be actionable under both Hong Kong law and the law of the place where the act was committed. However, this is subject to a number of exceptions; for example, a particular issue of the subject matter may be governed by the law of the place that has the most significant relationship with the occurrence and the parties.
There are no specific dispute resolution services offered to online traders and customers in Hong Kong. However, there are some dispute resolution options offered to certain aspects of electronic transactions and online business, for example:
The Hong Kong International Arbitration Centre (HKIAC) formulated the HKIAC Electronic Transaction Arbitration Rules for disputes arising from electronic transactions.
HKIAC offers online dispute resolution services for domain names, and administers dispute resolution proceedings for registrar transfers of domain names, internet keywords and wireless keywords.
There is no single comprehensive legislation or regulation governing advertising activities in Hong Kong. Both online and offline advertising activities are generally regulated through the Trade Descriptions Ordinance (TDO) (to the extent any advertisement constitutes a trade description of any goods or services) and a number of specific laws that govern advertising of regulated products and services.
For example, the TDO prohibits online advertisements that contain any of the following:
A false or misleading trade description of the goods or services (for example, quantity, composition, availability, price or place of origin).
A misleading omission (for example where material information such as main characteristics of the product, price, identity of the trader, payment or delivery arrangements or the existence of any withdrawal or cancellation right is hidden or omitted).
Bait advertising (for example, advertising at a specified price and fails to supply at such price for a reasonable period and quantities).
In addition, the advertisements of certain regulated products or services are subject to specific regulations, such as:
Public Health and Municipal Services Ordinance (Cap. 132), which requires that advertisements must not falsely describe or mislead any food or drug, or its nature or quality.
Food and Drugs (Composition and Labelling) Regulations (Cap. 132W), which requires that any nutrition claims of pre-packaged food in an advertisement must comply with the prescribed requirements on nutrient content, nutrient comparison and nutrient function.
Undesirable Medical Advertisement Ordinance (Cap. 231), which prohibits advertisements relating to certain diseases and abortion.
Advertisements of financial services and products may be subject to specific regulations under the Securities and Futures Ordinance (Cap. 571) and codes of conduct or guidelines issued by the Securities and Futures Commission (SFC). For example, if an advertisement contains an invitation to enter into certain subscription or investment agreements or a collective investment scheme, it must be authorised by the SFC. A licensed or registered person must ensure that no false, disparaging or misleading information is contained in any advertisements (see Question 31).
On a self-regulated basis, the Association of Accredited Advertising Agencies of Hong Kong enforces a non-statutory code of practice against advertising agencies who are members of the association. Generally, the code of practice requires any advertisement to be legal, decent, honest and truthful.
Generally, there is no distinction between the treatment for online or offline activities for the selling and advertising of products or services, as they are subject to the same regulatory approach (see Question 30).
Any business conducting online regulated financial services and issuing related advertisements must comply with the relevant regulatory requirements under the Securities and Futures Ordinance or guidance issued by the Securities and Futures Commission. For example, specific risk management and security controls are imposed on internet trading activities, and the provision of financial information may also trigger licensing or registration requirements.
The Unsolicited Electronic Messages Ordinance (UEMO) is the main legislation in Hong Kong that regulates text messages or spam e-mails. The UEMO sets out a number of statutory requirements that must be complied with if commercial electronic messages are to be sent out; for example, the information must be accurate and the recipient of the message must be able to unsubscribe. The UEMO also prohibits, among other things, the sending of unsolicited marketing and promotional e-mails or text messages to subscribers on the do-not-call registers kept by the Communications Authority, unless the recipients gave consent to receive the messages. A number of exemptions are however available under the UEMO. In particular, businesses can, without consent from the recipients, send messages such as invoices or receipts to confirm or facilitate a transaction, or deliver goods or services for a transaction, that the recipients previously agreed to enter into.
The Personal Data (Privacy) Ordinance (PDPO) also regulates the sending of text messages or spam e-mails if the messages involve the use of personal data in direct marketing. Among other PDPO provisions on direct marketing activities, section 35G of the PDPO confers an absolute right to an individual to object to the use of his personal data for direct marketing purposes. The business or trader must stop using the personal data when they receive notification. Generally, the Privacy Commissioner takes the view that the direct marketing provisions under the PDPO do not apply to the use of personal data for direct marketing activities targeted at a corporation (that is, if the personal data is collected from individuals in their official capacity and the product or service is clearly meant for exclusive corporate use).
In addition, organisations that collect personal data must inform affected individuals on the intended use of that data (PDPO). The PDPO also prohibits the use of collected personal data for purposes that are incompatible with the purposes for which the data were originally collected.
There are no specific language requirements for websites targeting Hong Kong. However, section 6 of the Unconscionable Contracts Ordinance states that one of the factors to be considered when the court decides whether the contract or any provision was unenforceable is whether the consumer was able to understand the contract or relevant provisions. Accordingly, businesses may want to avoid such risk by presenting the contract either in Chinese or English to a Hong Kong-based consumer.
Hong Kong adopts a territorial source principle of taxation. Profits tax is only charged on profits that arise in or are derived from Hong Kong. Accordingly, whether sales concluded online will be subject to Hong Kong taxation will depend on whether profits derived from the sales can be regarded as arising in or deriving from Hong Kong.
Profit tax is chargeable for each year of assessment for corporations (16.5%) and unincorporated businesses (15%), subject to the following three conditions under section 14 of the Inland Revenue Ordinance:
The person concerned must carry on a trade, profession or business in Hong Kong. This is a question of fact and degree that can only be determined on a case-by-case basis. Various factors such as the nature of the contracts concluded in a jurisdiction, the place where the goods are stored and delivered (or in case of service, the place where the services are provided) are taken into account when determining this.
The profits to be charged must come from the trade, profession or business carried on by the person in Hong Kong. When determining whether a non-resident is carrying on a business or trade in Hong Kong, the concept of permanent establishment is assessed. Permanent establishment implies the presence of a physical place and personnel. If the business owned or leased the server on which its website was hosted, the business has a physical presence at the server's location. The business may or may not require any of its staff to be present at that location to operate the equipment. Apart from that, the nature of the functions carried out by the business in the location is also relevant. The business of web hosting, for example, conducted by an internet service provider in Hong Kong is regarded as a core function of its business, whereas a typical retailer selling books over the internet in Hong Kong, for example, is not considered in the business of operating servers and are not subject to Hong Kong profits tax if the business only operates the server in Hong Kong and the business of selling books is carried outside Hong Kong.
The profits must be profits arising in or derived from Hong Kong. This is a matter of fact and is determined by establishing the taxpayer's operations that produced the relevant profits and where those operations took place. The distinction between Hong Kong profits and offshore profits is made by reference to gross profits arising from individual transactions. Generally, the profits where a taxpayer with a principal place of business earned in Hong Kong are chargeable to profits tax.
Protecting an online business
Liability for content online
A mix of statutes and common law govern liability for website content.
Some key potential areas of liability for online traders are:
If a trader fails to comply with certain regulatory requirements imposed by the public enforcement authority (for example, to cease in any unfair trading act or false description of the goods or services under the Trade Descriptions Ordinance), the authority can obtain an injunction to order the trader not to continue, repeat or engage in the contravening conduct.
If the trader uses third party content online without obtaining the relevant rights, it can be exposed to claims of trade mark or copyright infringement. It is often assumed that content that is made available online (particularly on social media) can be freely used, but this is not the case and use without the correct permission will be copyright infringement.
Under Hong Kong law, where content published on a website is defamatory, the victim may be able to obtain damages or an injunction (or both) requiring removal of the offending content from the website.
There are several statutory offences that can potentially be committed through the publication of online content. For example, the publication of obscene material can be an offence under the Control of Obscene and Indecent Articles Ordinance (Cap. 390). Criminal liability may also be incurred under the Personal Data (Privacy) Ordinance where, for example, a website operator published personal data of an individual online, without the consent of the data user (that is, the person from whom the personal data was obtained by the website operator), and with the intent to obtain gain or cause loss of money or other property, or cause psychological harm to the individual.
A company must state its registered name in legible characters and its liability status on its website (Companies (Disclosure of Company name and Liability Status) Regulation (Cap. 622B)).
If the website can collect personal data, a personal information collection statement must be included in order to satisfy the notification requirement under the Personal Data (Privacy) Ordinance. See Question 16.
A website operator is liable for unlawful content displayed on its website unless it can rely on a defence. For example, under the Trade Descriptions Ordinance (TDO) it is a defence for a TDO offence if the contravening person can prove that both (section 26, TDO):
The commission of the offence was due to a mistake or reliance on information supplied to him or the act or default of another.
The person took all reasonable precautions and exercised all due diligence to avoid the commission.
For online businesses involving the publication of third party content, both the author of the content and the website operator can be liable, depending on the wrongdoing alleged.
Accordingly, it is good practice for a trader to include disclaimers on the accuracy and availability of content on its website to limit the expectations of users and limit potential liability if the trader ---displayed content by mistake. However, this may not be sufficient if the trader is unable to establish it took due care.
Some traders may include a term on their websites to provide for their right to cancel a contract based on mistaken information presented on the website. However, there is a risk that the term may be held unenforceable against a consumer under the Unconscionable Contracts Ordinance (see Question 7).
Under the Copyright (Amendment) Bill 2014 (Amendment Bill), a new statutory defence is available to online service providers (that is, any person providing or operating facilities for online services through electronic equipment or a network). The defence provides that a service provider is not liable for copyright infringement provided that it has taken reasonable steps to limit or stop the infringement as soon as it became aware of the infringement or any related facts leading to the infringement (that is, a notice and takedown arrangement). The Amendment Bill is not yet in force; however, it is expected that the service providers may seek to rely on this defence when the Amendment Bill takes effect.
Most ISPs reserve their contractual rights to suspend their services in order to taken down infringing websites, content or links.
Currently, Hong Kong does not have any statutory protection for ISPs for copyright or trade mark infringements. However, the Copyright (Amendment) Bill 2014 will provide statutory defences to protect ISPs from liabilities for copyright infringement. To rely on these defences, the ISPs will need to take reasonable steps to limit or stop the infringement once they receive notice of or have knowledge of the infringement. These steps include setting up a notice and counter notice, and takedown system.
There are no similar statutory defences for ISPs in relation to trade mark infringement.
For other liabilities, for example, defamation, which arise due to third party content, taking those actions may mean that an ISP can rely on an applicable defence.
Hong Kong statutory law currently does not contain any express provision giving Hong Kong courts the right to grant an injunction against a service provider, where that service provider has actual knowledge of another person using their service to infringe copyright. In addition, the Copyright Ordinance (Cap. 528) expressly provides that the mere provision of physical facilities for enabling the making available of copies of works to the public does not of itself constitute an act of making available copies of works to the public (which is a right a copyright holder has). In the absence of any statutory provision or established case law, such an injunction may not be easy to obtain.
Liability for products/services supplied online
In Hong Kong, law applicable to the sale and supply of products and services offline is also applicable when they are sold or provided online. Accordingly, an online auction site could be liable for auctioning counterfeit goods on the same basis if the same counterfeit goods are auctioned offline.
Websites that provide services by aggregating online content or information from other websites using tools such as web crawlers, scrapers, spiders or other automated tools should also be aware that such operations will attract potential civil and criminal liability, including:
Potentially infringing the copyright of such websites.
Violating section 27A of the Telecommunications Ordinance (Cap. 106), which provides that a person commits a criminal offence if he knowingly causes a computer to perform any function to obtain unauthorised access to any program or data held in a computer.
For the most part, online business require the same sort of insurance as other businesses require in the relevant industry sector within which they operate. In addition, online businesses should consider specific insurance policies covering the risks related to data privacy and network security in the event of a data leakage or security breach.
The first reading of the Copyright (Amendment) Bill 2014 (Amendment Bill) was completed in June 2014. It is currently subject to further readings and debate scheduled in the 2015 to 2016 legislative session. In addition to the statutory defences available to online service providers (see Questions 38 and 39), the Amendment Bill seeks to introduce new statutory exceptions to copyright infringement, including fair dealing with a work for the purposes of parody or satire.
The regulation of transfer of personal data outside of Hong Kong under section 33 of the Personal Data (Privacy) Ordinance is not yet in effect. There has been recent discussion on its proposed enactment; however, it remains to be seen whether there is any concrete time frame for the government to put forward section 33 for legislative approval.
Description. The official online resource of Hong Kong legislation.
Description. The official website for the Office of Privacy Commissioner for Personal Data, including notes on the Personal Data (Privacy) Ordinance and related guidance, codes of practice and information leaflets.
Description. Government website on electronic authentication and recognised digital certificates.
Bird & Bird
Professional qualifications. England and Wales, Solicitor; Hong Kong, Solicitor
Areas of practice. Technology; media and telecommunications; intellectual property; commercial; data protection; corporate law.
Bird & Bird
Professional qualifications. England and Wales, Solicitor; Hong Kong, Solicitor
Areas of practice. Technology; media and telecommunications; commercial; data protection; competition; corporate law.