Data Protection Report - Norton Rose Fulbright

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.

In this case, a director of an employment agency failed to comply with a summons issued by the Office of the Privacy Commissioner (“PCPD”) to provide information requested by the PCPD in the context of an investigation. As a result, the director was convicted on 30 June 2017 for failing to comply with a lawful requirement of the Privacy Commissioner and was fined HK$3,000 (approximately US$385).

A complaint was filed against the employment agency for transferring personal data without consent. Despite repeated requests from the PCPD, the employment agency failed to provide necessary information required for investigation. In failing to obtain a reply, the PCPD issued a summons to the director of the employment agency requiring him to attend the office for examination, but the director failed to attend the office without a lawful excuse. The PCPD then referred the case to the Police for criminal investigation.

Our Take

Failure to comply with a lawful requirement of the Privacy Commissioner is a criminal offence, and a person can be liable to a maximum fine of HK$10,000 (approximately US$1,300) and to maximum imprisonment for 6 months. This case shows that directors can be held personally liable for such offence, and serves as a strong deterrent to remind all organisations and individuals to cooperate with the PCPD and provide all required information for investigation as expeditiously as possible.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.