ENFORCEMENT OF PDPO

Question 1

What is the role of the Office of the Privacy Commissioner for Personal Data (PCPD)?

Answer 1

The PCPD enforces and oversees compliance with the PDPO - including conducting investigations - providing guidance - and raising public awareness.

Question 2

What are the key roles of the PCPD?

Answer 2

Investigation - guidance - and public education.

Question 3

What types of rules does the Privacy Commissioner issue?

Answer 3

Codes of Practice and Administrative Instructions.

Question 4

What was the outcome of the Octopus Rewards Ltd. case?

Answer 4

Octopus Rewards Ltd. was required to cease unauthorized data transfer and improve data protection measures.

Question 5

The Octopus Rewards case was a breach of which data protection principles under the PDPO?

Answer 5

Data collection and data use.

Question 6

What is the role of the Personal Data (Privacy) Advisory Committee?

Answer 6

Advises the Privacy Commissioner on policy development and public consultation.

Question 7

How must organizations manage consent and opt-out mechanisms?

Answer 7

Consent mechanisms must be clear - accessible - and easy to use. Fresh consent is needed for new purposes - and accurate records of consents and withdrawals must be kept.

Question 8

What is an enforcement notice?

Answer 8

An enforcement notice is issued by the Privacy Commissioner to a data user who has contravened the PDPO - requiring rectification and preventive measures.

Question 9

What does the PCPD do in terms of policy development and implementation?

Answer 9

Issues new guidelines - provides training - and proposes law reforms to enhance data protection.

Question 10

What is the Third-Party Benefit Exception?

Answer 10

A proposal to review and possibly amend the law to regulate data sharing for third-party benefits more strictly.

Question 11

What are recent trends in commissioner expectations?

Answer 11

Emphasis on proactive data protection measures - higher levels of transparency - and accountability of senior management.

Question 12

What are the consequences of breaching an enforcement notice in HK?

Answer 12

Fine of HK$50 -000 on first conviction and HK$100 -000 on subsequent conviction and imprisonment for two years.

Question 13

What are the penalties for direct marketing contraventions in HK?

Answer 13

If the data user provided data for gain: fine of up to HK$1 million and imprisonment for up to five years. If otherwise than for gain: fine of up to HK$500 -000 and imprisonment for up to three years. If it fails to stop using data for direct marketing: punishable for a fine of up to HK$500 -000 and imprisonment for up to three years.

Question 14

What can a HK complainant appeal to AAB?

Answer 14

A complainant may appeal to the Administrative Appeals Board (AAB) against a decision of the Privacy Commissioner not to issue an enforcement notice following an investigation into a complaint.

Question 15

What are the two HK consultative advisory committees?

Answer 15

Personal Data (Privacy) Advisory Committee and the Standing Committee on Technological Developments.

Question 16

What are the penalties for breaching the PDPO?

Answer 16

Fines of HK$500 -000 to HK$1 million and 3-5 years in jail.

Question 17

What is the significance of the Do No Evil Mobile App case in HK?

Answer 17

The issue was aggregating data from publicly available sources. The Commissioner ruled that using personal data obtained from the public domain for due diligence review and background check was inconsistent with the original purpose of data collection by the Judiciary - ORO - and Companies Registry.

Question 18

Can a complainant appeal the decision of the AAB in HK?

Answer 18

There is no appeal against the decision to court - but aggrieved parties can seek judicial review of the AAB decision.