Skip to content

Media Statements

Media Statements

Date: 1 August 2016

Cyber-bullying (tracking down personal data) May Violate the Privacy Ordinance 

(1 August 2016) As the LegCo Election draws near and  in view of some Internet users who banded together online to track down and disclose individuals’ (including public servants) personal data and even made intimidating remarks, the Privacy Commissioner for Personal Data, Hong Kong, Mr Stephen Kai-yi WONG, called for Internet users to respect others’ privacy rights to avoid contravening the relevant offences set out in the Personal Data (Privacy) Ordinance (the “Ordinance”).

There are common misunderstandings among members of the public that personal data of an individual obtainable in the public domains can be further used for whatever purposes and without limitation. The Privacy Commissioner reiterated that personal data obtained from the public domains is still subject to the regulation of the Ordinance. Mr Wong said, “Privacy is a fundamental human right. The Office of the Privacy Commissioner of Personal Data, Hong Kong (“PCPD”) will continue its efforts in nurturing a culture of ‘Protect, Respect Personal Data’ among individuals and organisations in the community, and will guard against any ‘tracking down personal data’ or ‘cyber-bullying’ acts that infringe others’ personal data privacy rights.” Any members of the public who find their privacy rights relating to personal data being abused or misused unlawfully may consider lodging a complaint with the PCPD.
Legal Protection:
Currently, there is no specific legislation in Hong Kong that regulates cyber-bullying acts. In view of the fact that cyber-bullying activities are wide-ranging and may relate to defamation, criminal intimidation and infringement of intellectual property, they have to be addressed by applying different branches of the law. Various law enforcement bodies will also be involved.
In respect of personal data privacy, according to the Data Protection Principles (“DPPs”) under the Personal Data (Privacy) Ordinance, to decide whether an act contravenes the Ordinance, regard will have to be had on whether personal data is collected in a lawful and fair way, and whether the data users have taken practicable steps to notify the data subjects of the purpose of data collection, etc.
Where cyber-bullying engages the collection and use of personal data, the requirements of the Data Protection Principles (“DPPs”) in the Ordinance are relevant. DPPs 1 and 3 are particularly important:
  • DPP1 (Collection purpose and means) – This principle requires the data user to collect only the personal data for a purpose directly related to its function or activity; collect data as necessary and not excessively; and collect data by means which are lawful and fair.
  • DPP3 (Use)  – This principle stipulates that unless the data subject has given explicit and voluntary consent, personal data shall only be used for the purpose for which it was originally collected or a directly related purpose. As such, cyber-bullying acts that involve the use of personal data of targeted persons collected from the public domain through channels such as public registers, search engines or public directories may constitute a contravention of DPP3.

The Privacy Commissioner may serve an enforcement notice on the data user who contravenes a DPP in order to remedy the contravention, and it is an offence for the data user not to comply with the enforcement notice. The offence attracts a fine of HK$50,000 and imprisonment for two years and, in the case of a continuing offence, a daily fine of HK$1,000.
In addition, under section 64 of the Ordinance, a person commits a criminal offence if he discloses any personal data of a data subject obtained from a data user without the data user’s consent with the intention –
  • To obtain gain in the form of money or other property, whether for his own benefit or that of another person; or
  • To cause loss in the form of money or other property to the data subject;
A person will also commit a criminal offence if he discloses, irrespective of his intent, any personal data of a data subject obtained from a data user without the data user’s consent and the disclosure causes psychological harm to the data subject. The maximum penalty for the offence is a fine of HK$1,000,000 and imprisonment of 5 years.

Guidance and leaflets:

The Privacy Commissioner issued a “Cyber-bullying – What you need to know” leaflet that helps the members of the public understand the legal protection and ways to deal with cyber-bullying. "Protecting Online Privacy – Be Smart on Social Networks" leaflet was also issued to provide the public with the steps to protect personal data in relation to registration for social networking sites, use of privacy setting, posting of personal data and other practical tips. More detailed explanations on how DPP3 governs the use of personal data in the public domain can be found in the Privacy Commissioner’s “Guidance on the Use of Personal Data Obtained from the Public Domain”.