Hong Kong's first prison sentence under the Personal Data (Privacy) Ordinance

Intellectual Property Update


The Hong Kong Privacy Commissioner for Personal Data (PCPD) announced last week that a former insurance agent has received a prison sentence in respect of offences under the Personal Data (Privacy) Ordinance (the Ordinance).


The case arose from a complaint made by the customer of an insurance company in 2012. An insurance agent had approached the customer while working for one insurance company. He subsequently moved company and sold a new insurance policy to the customer of his former company, who was unaware, at the time, that the agent had moved companies.

The customer alleged that the agent had misled her, and had thereby obtained her personal information by unfair means. In responding to the PCPD's enquiries, the agent gave false information to the PCPD, which constitutes an offence under the Ordinance. The agent has been sentenced to 4 weeks' imprisonment.

Significance of the case

This case is important in that it marks the first custodial sentence being imposed pursuant to the Ordinance. The case emphasises the close nexus between data privacy and criminal liability in Hong Kong, and the willingness of courts to use the custodial sentences available as an enforcement measure under the Ordinance. Individuals and companies should be reminded that it is vital to cooperate with the PCPD in the event of enquiries or an investigation, and to provide a full and accurate account of events or information requested by the PCPD in the exercise of its statutory functions.

We expect this landmark first use of custodial sentencing is likely to be replicated in other areas of the Ordinance, in particular in relation to direct marketing activities. We understand several matters have already been referred to the Hong Kong Police for criminal investigation.

The case also follows the regional trend across Asia Pacific towards more stringent, and more heavily enforced, data privacy laws. While Hong Kong has one of the most mature regimes in the region, we are witnessing the rapid emergence of data privacy regulations in other countries. In Singapore, the first convictions for breach of the Personal Data Protection Act were imposed earlier this year, shortly after the legislation came into force.

Privacy enforcement can be categorised by regional peculiarities. Europe tends to be highly regulated and oriented towards regulatory fines. Civil rights and class actions make the USA the home of large private law suits. In Asia, with the possibility of jail sentences in a number of regimes, privacy enforcement is likely to be characterised by the real possibility of facing criminal prosecution for breaches.

If you have any queries or concerns about data privacy laws in Hong Kong or elsewhere, our data privacy team, comprising a network of lawyers in 76 offices globally, would be pleased to hear from you.