Data protection in Hong Kong: overview

A Q&A guide to data protection in Hong Kong.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

In Hong Kong, the main legislation on data protection is the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance). The Ordinance regulates the collection, use and handling of personal data and is based around a set of data protection principles. The Ordinance was enacted in 1996 in response to Directive 95/46/EC (Data Protection Directive). The Ordinance covers much of the same ground as the Data Protection Directive, although with some significant limitations. The Ordinance underwent major reform in 2012, primarily to add specific provisions and restrictions against the use and provision of personal data in direct marketing.

Sectoral laws

Hong Kong does not have any specific data protection laws for particular industry sectors, although many industry associations have guidelines and rules about the applicability of the Ordinance.

 

Scope of legislation

2. To whom do the laws apply?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) regulates the collection, use and handling of personal data by data users. The Ordinance defines a data user as a person who, either alone, jointly or in common with other persons, controls the collection, holding, processing or use of personal data.

The definition of a data user includes all legal entities, including corporations, partnerships and trusts, and both private and public sector organisations. The definition only covers a person who controls the collection, holding, processing or use of personal data. It does not include a person who collects, holds, processes or uses personal data solely as instructed by a third party.

 
3. What data is regulated?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) regulates personal data and defines it as any data:

  • Relating directly or indirectly to a living individual (data subject).

  • From which it is practicable for the identity of the data subject to be directly or indirectly ascertained.

  • In a form in which access to or processing of the data is practical.

This is very similar to the definition of personal data in Directive 95/46/EC (Data Protection Directive) and many other national privacy laws. One significant difference is that the Ordinance does not protect information concerning a deceased individual.

Common examples of personal data may include a data subject's:

  • Name.

  • Identity card number.

  • Contact details.

However, the definition also includes practically any information about the data subject's behaviour, preferences or activities which are stored with or can be cross-referenced to the data subject's identity. It may include both fact and opinion about a data subject. Photographs or video footage of an identifiable individual may also be personal data.

There is an obligation to take all practicable steps to ensure that personal data is kept secure (data protection principle 4) (see Question 15). This obligation also applies to personal data in a form in which accessing or processing the data is not practical.

 
4. What acts are regulated?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) regulates the:

  • Collection of personal data.

  • Use and disclosure of personal data, with specific provisions for use and disclosure for the purposes of direct marketing.

  • Retention of personal data, including how long it can be retained, accuracy and security.

  • Granting of access to and correction of personal data.

The Ordinance does not currently regulate the transfer of personal data outside of Hong Kong.

 
5. What is the jurisdictional scope of the rules?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) has no express provision for extra-territorial application. In the absence of such a provision, the "territoriality principle" applies. Under the territoriality principle, legislation does not apply to any act committed by a foreign person outside of Hong Kong. Therefore, the Ordinance only applies to the actions of data users who control the collection, holding, processing or use of personal data from within Hong Kong.

 
6. What are the main exemptions (if any)?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) contains broad exemptions for personal data. Personal data is exempt from most or all of the data protection principles, if it:

  • Is held by an individual for domestic or recreational purposes.

  • Is held solely for the purposes of journalism by a news reporting organisation.

  • Is held for the purposes of the prevention or detection of crime, seriously improper conduct or dishonesty.

  • Is held for the purposes of the prevention or remedy of unlawful conduct (which courts have held to include tortious conduct and copyright infringement).

  • Is held for the purposes of assessment or collection of tax.

  • Relates to the physical or mental health of a data subject, if the application of the Ordinance would be likely to cause that or any other person serious harm.

  • Is collected or used in emergencies and life-threatening situations.

  • Is held by the Government of the Hong Kong Special Administrative Region for security, defence or international relations purposes.

In addition, the Ordinance contains exemptions to the restrictions on use and disclosure of personal data under data protection principle 3 (see Question 9). Exemptions apply for any use or disclosure of personal data which is:

  • Required or authorised by any Hong Kong law or court order.

  • Required in connection with legal proceedings in Hong Kong or exercising or defending legal rights in Hong Kong.

  • For the purpose of a due diligence exercise in connection with a proposed share sale, asset sale or merger.

  • For the purpose of preparing statistics or carrying out research (provided that no identifying information of any data subject is published).

The Ordinance also contains exemptions on the obligation to provide a data subject with the right to access and request correction of their personal data under data protection principle 6 (see Question 13). Exemptions apply for personal data that:

  • Is subject to legal professional privilege.

  • Would incriminate the data user.

  • Is the subject of certain decision-making processes (such as whether to employ or promote the data subject or award a contract or benefit), but only while the decision-making process is continuing.

  • Is relevant to certain staff-planning proposals.

  • Is a personal reference for an application of employment.

Notification

7. Is notification or registration required before processing data?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not require notification or registration before processing personal data.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Under the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) the main obligations imposed on data controllers are set out in six data protection principles. Any act or practice that breaches a data protection principle is prohibited, subject to certain exceptions (see Question 6).

Data protection principles

The data protection principles are as follows:

  • Data protection principle 1. This governs the collection of personal data. The principle requires the collection of personal data to be lawful, fair and not excessive. It also lists the information a data user must provide to a data subject when collecting the subject's personal data (see Question 12).

  • Data protection principle 2. This governs the retention of personal data. It provides that personal data must be accurate, up-to-date and not be retained any longer than necessary.

  • Data protection principle 3. This governs the use and disclosure of personal data. It provides that personal data may only be used or disclosed:

    • for the purpose for which it was originally collected;

    • for a directly related purpose; or

    • for a purpose to which the data subject has consented.

  • Data protection principle 4. This governs the security of personal data. It requires that all practicable steps must be taken to protect personal data against unauthorised or accidental access, processing, erasure, loss or use (see Question 15).

  • Data protection principle 5. This governs the information that must be made generally available about personal data. It provides that data users must take all practicable steps to ensure any person can ascertain the data user's policies and practices in relation to personal data, including the kinds of personal data held and the main purposes for which that personal data is used.

  • Data protection principle 6. This governs access to and correction of personal data. It provides a right for data subjects to access and correct their personal data (see Question 13).

Other main obligations

Other main obligations on data users include the restrictions on direct marketing activities (see Question 9).

 
9. Is the consent of data subjects required before processing personal data?

Use and disclosure of personal data

Data protection principle 3 provides that personal data may be used or disclosed (other than for direct marketing purposes) for three types of purpose:

  • The purpose for which the personal data was to be used at the time of the collection of the personal data (original purpose).

  • A purpose directly related to the original purpose.

  • A purpose to which the data subject has given prescribed consent (see below, Prescribed consent).

It is therefore only necessary to obtain the consent of the data subject if the use or disclosure is not for the original purpose or a purpose directly related to the original purpose.

Prescribed consent

Prescribed consent means express consent given voluntarily; it cannot be implied or inferred. Prescribed consent may be verbal or written and may be given in person, in paper form or online. Prescribed consent may be subsequently withdrawn by notice in writing to the data user.

A person who has parental responsibility may give prescribed consent on behalf of a minor, provided that both:

  • The minor is incapable of understanding the proposed purpose and deciding whether to give the prescribed consent.

  • The parent has reasonable grounds for believing that the use of the personal data for the proposed purpose is clearly in the interest of the minor.

A similar rule applies to mentally incapacitated persons and persons incapable of managing their own affairs.

Bundled consent

The Office of the Privacy Commissioner for Personal Data (Commissioner) has indicated that bundled consent is not a valid form of consent. Bundled consent occurs when a data subject is required to consent to a particular use of their personal data as a condition of obtaining a product or service.

Use and provision of personal data for direct marketing purposes

Since its amendment in 2012, the Ordinance has recommended tighter restrictions on the use of personal data for direct marketing and on the provision of personal data to a third party for direct marketing. The rules in this area are now some of the most restrictive of any jurisdiction.

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) defines direct marketing as offering or advertising goods, facilities or services or soliciting donations or contributions by communications addressed or directed to a specific person by name. Therefore, direct marketing does not include communications that are not directed to a specific individual (such as a telemarketer who calls randomly generated phone numbers).

Before using personal data for direct marketing purposes, a data user must provide the data subject with the following information, in a manner that is easily understandable (and if in writing, easily legible) (section 35C, Ordinance):

  • The intention to use their personal data for direct marketing and that it can only do so with the data subject's consent.

  • The types of personal data it proposes to use for direct marketing.

  • The classes of marketing subjects to which the proposed direct marketing will relate. (Marketing subjects means the goods, services or facilities being marketed or the purpose for which any donation or contribution is requested. The Commissioner has stated that marketing subjects must be described in reasonably specific terms and that open-ended descriptions are not compliant.)

A data user must also provide a means for the data subject to communicate their consent to the proposed direct marketing (see below, Consent for direct marketing purposes).

If the data subject subsequently requires the data user to stop using his personal data for direct marketing purposes, the data user must immediately stop that use. The data subject should be informed of this right on the first occasion that the data user contacts the data subject for direct marketing purposes.

Provision of personal data to a third party for direct marketing purposes

Before providing personal data to a third party for direct marketing purposes, a data user must inform the data subject of the following, in a manner that is easily understandable (and if in writing, easily legible) (section 35J, Ordinance):

  • The intention to provide the data subject's personal data to third parties for the purposes of direct marketing and that it can only do so with the data subject's consent.

  • The types of personal data it proposes to provide to third parties for direct marketing purposes.

  • The classes of marketing subjects to which the proposed direct marketing will relate.

  • The classes of third parties to whom it proposes to provide the data subject's personal data. (The Commissioner has stated that classes of third parties must be described in reasonably specific terms and that open-ended descriptions are not sufficient.)

A data user must also provide a means for the data subject to communicate their written consent to the proposed provision of their personal data to third parties for direct marketing purposes (see below, Consent for direct marketing purposes).

If a data user receives personal data from a third party for direct marketing purposes, that data user need not comply with section 35C of the Ordinance if it obtains written confirmation that the third party has already complied with section 35J of the Ordinance.

Consent for direct marketing purposes

Consent under the direct marketing provisions is not the same as prescribed consent under data protection principle 3 (see above, Prescribed consent). However, any consent that satisfies the direct marketing provisions is deemed to satisfy data protection principle 3.

There is no requirement that consent for direct marketing purposes be express (although to be considered a valid consent it must still be voluntary). Consent is defined to include an "indication of no objection" to the proposed use or provision, meaning that an opt-out mechanism can be a valid means of obtaining consent to direct marketing.

Consent to use personal data for direct marketing purposes may be verbal or written. If verbal consent is given, a written confirmation must be sent to the data subject within 14 days. Consent to provide personal data to a third party for direct marketing purposes must be in writing; this includes electronic writing under the Electronic Transactions Ordinance (Cap. 553 of the Laws of Hong Kong).

Defences

It is a defence to most breaches of the direct marketing provisions that the data user took all reasonable precautions and exercised all due diligence to avoid the breach.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

If consent is not provided, personal data may still be used for the original purpose for which it was collected, or for a purpose directly related to that original purpose (see Question 9).

There are also several categories of use and disclosure which are exempt from data protection principle 3 (see Question 6).

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not contain specific rules about sensitive data.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

When collecting personal data from a data subject, the data user must take all practicable steps to inform the data subject of certain information. The following information must be provided at or before the collection of the personal data (data protection principle 1(3)):

  • Whether the provision of personal data by data subjects is mandatory and the consequence(s) for not supplying the data. This may be expressly stated or implied.

  • The purpose (in general or specific terms) for which the personal data will be used. This must be expressly stated.

  • The classes of persons to whom the personal data may be transferred. This must be expressly stated.

The following information can be provided before the first use or disclosure of the personal data (data protection principle 1(3)):

  • The data subject's right to request access to the personal data and the correction of the personal data. This must be expressly stated.

  • The contact details of the person to whom requests for access or correction must be sent. This must be expressly stated.

The above information is typically collated and provided in a personal information collection statement (PICS). The PICS will appear on the relevant form, webpage, telephone script or notice. In addition, the PICS can also be used to:

  • Obtain any consent required under data protection principle 3.

  • Provide the data subject with any additional details, and obtain any consent required under the direct marketing rules (see Question 9).

The Office of the Privacy Commissioner for Personal Data (Commissioner) has published guidelines on the content and format of a PICS. In particular, the PICS must be reasonably prominent, easy to understand and easily legible (if written). The guidelines are available on the Commissioner's website (www.pcpd.org.hk.).

 
13. What other specific rights are granted to data subjects?

Data subjects are entitled to (data protection principle 6):

  • Establish whether a data user holds any of their personal data.

  • Request access to any of their personal data.

  • Request correction of any of their personal data.

A request to access or correct personal data must be made in the prescribed form. The form is available from the website of the Office of the Privacy Commissioner for Personal Data (Commissioner) (www.pcpd.org.hk).

A data user must respond to a personal data access or correction request within 40 days of receiving the request. However, if the data user is unable to respond to the request within 40 days, it may notify the data subject and respond to the request as soon as is practical. A reasonable administrative fee may be charged for responding to a data access request, but this fee must reflect the costs of responding to the request.

A personal data access or correction request may be refused if various exemptions to data protection principle 6 apply (see Question 6).

 
14. Do data subjects have a right to request the deletion of their data?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not include a right for data subjects to request deletion of their personal data.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

A data user must take all practicable steps to ensure that personal data is protected from unauthorised or accidental access, processing, erasure, loss or use (data protection principle 4).

In determining what constitutes practicable steps, the data user must have regard to:

  • The nature of data and the damage that could result from unauthorised or accidental access, processing, erasure, loss or use.

  • The physical location where the data is stored.

  • Any security measures used for the equipment where the data is stored.

  • Any measures taken for ensuring the integrity, discretion and competence of persons having access to the data.

  • Any measures taken for ensuring the secure transmission of the data.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

The Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not require that personal data security breaches be notified, either to data subjects or the Office of the Privacy Commissioner for Personal Data (Commissioner). A notification requirement was proposed as part of the amendments in 2012, but ultimately did not form part of those amendments.

While not a legal requirement, the Commissioner does encourage notification of breaches.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

If a third party is acting as an agent of the data user, the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) provides that the data user will be liable for any breach of the Ordinance committed by the agent as if committed by the data user.

In addition, the Ordinance requires data users who engage a data processor to take contractual or other steps to:

  • Ensure that the data processor does not retain personal data for longer than is necessary for the processing of the personal data.

  • Prevent unauthorised or accidental access, processing, erasure, loss or use of the personal data transferred.

A data processor is defined in the Ordinance as a person who processes personal data on behalf of another person and does not process the data for its own purposes. Processing data is not exhaustively defined, but it includes amending, rearranging, augmenting and deleting data.

Data processors will not generally be subject to the Ordinance. This is because they usually do not qualify as data users, who must control the collection, holding, processing or use of personal data (see Question 2).

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

In Hong Kong there are no laws that deal specifically with cookies or similar technology. The relevant provisions of the Ordinance will apply if cookies are used to store and collect personal data.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

The Unsolicited Electronic Messages Ordinance (Cap. 593 of the Laws of Hong Kong) (UEMO) governs the sending of commercial electronic messages with a "Hong Kong link" (meaning a message sent from or received in Hong Kong).

The UEMO establishes three "do not call registers" for fax messages, pre-recorded telephone messages and SMS messages. A person must not send a commercial fax, pre-recorded telephone message or SMS message to a telephone number registered on the relevant register, without the express or inferred consent of the recipient.

The UEMO also provides that commercial electronic messages (including email messages, instant messages, SMS messages, faxes and pre-recorded telephone messages) must:

  • Contain clear and accurate sender information.

  • Contain an unsubscribe facility. Requests to unsubscribe must be honoured within ten working days.

  • Not conceal caller identification information (for telephone and fax messages).

  • Not contain misleading subject headings (for email messages).

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Ordinance currently does not currently restrict the transfer of personal data outside of Hong Kong.

Section 33 of the Ordinance does prohibit the transfer of personal data outside of Hong Kong except in certain circumstances (the circumstances are broadly similar to those set out in Directive 95/46/EC (Data Protection Directive). However, section 33 has never been enacted, despite being a provision of the Ordinance since 1996. However, the enactment of section 33 has recently returned to the legislative agenda. The Office of the Privacy Commissioner for Personal Data recently issued a Guidance Note on Cross Border Transfer of Personal Data and is currently consulting with industry on the proposed implementation of section 33. Some data users have taken the approach of complying with the restrictions to avoid disruption when and if section 33 is eventually enacted.

 
21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

The Ordinance does not specifically require any particular type of personal data to be stored within Hong Kong. If section 33 of the Ordinance is enacted, then the transfer of all types of personal data outside of Hong Kong will be prohibited except in certain circumstances.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Data transfer agreements are not currently required because the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not currently restrict the transfer of personal data outside of Hong Kong (see Question 20).

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

Data transfer agreements are not currently required because the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not currently restrict the transfer of personal data outside of Hong Kong (see Question 20).

If section 33 of the Ordinance were to be enacted, a well-drafted and enforced data transfer agreement would be sufficient to legitimise the transfer of personal data outside of Hong Kong. However, there would also be a number of other options available, including obtaining consent from the data subject.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

Data transfer agreements are not currently required because the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) does not currently restrict the transfer of personal data outside of Hong Kong (see Question 20).

If section 33 of the Ordinance were to be enacted, it would not require that a data transfer agreement be approved by any authority.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

Investigation

If the Office of the Privacy Commissioner for Personal Data (Commissioner) receives a complaint from an individual or has reasonable grounds to believe an act has been committed in breach of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance) then it may choose to conduct an investigation. The Commissioner has considerable investigative powers under the Ordinance, including the power to enter premises and to require the production of documents.

The Commissioner publishes case notes of its investigations on its website (www.pcpd.org.hk ) but the case notes do not usually identify either party. The Commissioner may also refer criminal offences under the Ordinance to the Hong Kong Police.

Enforcement notice

Following an investigation, if the Commissioner considers that a breach of the Ordinance has occurred, the Commissioner may serve an enforcement notice on the data user. The enforcement notice requires the data user to remedy and prevent any recurrence of the contravention.

The data user may appeal against an enforcement notice to the Administrative Appeals Board within 14 days. Contravention of an enforcement notice is punishable by fines and imprisonment (see Question 25).

The Commissioner receives a substantial number of complaints and conducts a reasonable number of investigations. However, most complaints are resolved without the need for the Commissioner to issue an enforcement notice. Typically, the resolution involves the defendant undertaking to change its practices and possibly offering compensation to affected data subjects.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

Criminal sanctions

There are a range of criminal sanctions for breach of the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong) (Ordinance).

The Office of the Privacy Commissioner for Personal Data (Commissioner) is responsible for enforcing the Ordinance. If a data user is found to have breached the Data Protection Principles of the Ordinance, the Commissioner may issue an enforcement notice requiring the data user to take steps to rectify the contravention (see Question 24). A breach of the enforcement notice constitutes a criminal offence, punishable by a fine of up to HK$50,000 (doubled for any subsequent convictions) and imprisonment for up to two years.

Contravention of other requirements of the Ordinance is also an offence. A breach of most of the direct marketing rules (see Question 9) constitutes an offence punishable by a fine of up to HK$500,000 and up to three years imprisonment. A data user who provides personal data to a third party for direct marketing purposes in breach of section 35J of the Ordinance and as a result receives some form of gain, commits an offence, punishable by a fine of up to HK$1 million and up to five years imprisonment. 2015 saw the first four convictions for breaches of the direct marketing rules – the largest fine imposed on a data user to date is HK$30,000.

In addition, it is an offence for a person who obtains personal data from a data user without the data user's consent and discloses that personal data:

  • With the intent to obtain a gain or cause loss to the data subject.

  • In circumstances where the disclosure causes psychological harm to the data subject.

The offence is punishable by a fine of up to HK$1 million and up to five years imprisonment.

A number of lesser contraventions of the Ordinance are punishable by fines of up to HK$10,000 and up to six months' imprisonment.

Civil sanctions

In addition to criminal sanctions, a data subject who suffers a loss due to a breach of the Ordinance is entitled to seek compensation from the data user through civil action, including for emotional distress.

The Commissioner may assist a data subject in taking action by providing legal advice or arranging or subsidising legal representation if he considers the action to involve an important question of principle.

 

Regulator details

Office of the Privacy Commissioner for Personal Data (個人資料私隱專員公署)

W www.pcpd.org.hk

Main areas of responsibility. The Office of the Privacy Commissioner for Personal Data (Commissioner) is responsible for the enforcement of the Ordinance, including receiving complaints from the public, conducting investigations, making determinations and issuing enforcement notices. The Commissioner also:

  • Publishes information and guidance on the Ordinance and its practical application.

  • Conducts campaigns to educate the public in relation to personal data privacy issues.

  • Liaises with industry groups and associations about personal data privacy issues relevant to those industries.



Online resources

W www.pcpd.org.hk

Description. The website of the Office of Privacy Commissioner for Personal Data (Commissioner) contains:

  • The text of the Ordinance.

  • Information about the 2012 amendments of the Ordinance.

  • Information about upcoming and recent activities and events.

  • Case notes detailing recent complaints and investigations

  • Guidance notes and fact sheets.

  • Official forms and contact details.

The website is available in both English and Chinese.



Contributor profile

Nicholas Blackmore, Practice Group Leader, IT & Privacy Law

Kennedys

T +852 2848 6368
F +852 2848 6333
E nicholas.blackmore@kennedyslaw.com
W www.kennedyslaw.com

Professional qualifications Solicitor, High Court of Hong Kong SAR, 2012; Barrister and Solicitor, Supreme Court of Victoria, 2000

Areas of practice. Data privacy; information technology; intellectual property.

Non-professional qualifications. Master of Laws (University of Melbourne); Bachelor of Science (University of Melbourne)

Recent transactions

  • Advising several major insurance companies on recent amendments to the Ordinance.

  • Conducting a privacy compliance audit for a major hotel chain.

  • Advising a major consulting firm on the data privacy implications of offshoring their human resources function to mainland China.

  • Preparing template privacy policies and statements for use by members of an industry association.

Professional associations/memberships. Law Society of Hong Kong; Law Institute of Victoria; Australian Chamber of Commerce Hong Kong and Macau.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247466784636", "objName" : "Data protection in Hong Kong overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/9-505-7567?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "22e97be00:15b190ba19c:1f4f", "analyticsSessionCookie" : "22e97be00:15b190ba19c:1f50", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }