| Foreword | 25 |
| Preface | Ada CHUNG Lai-ling | 27 |
| Preface | Guobin ZHU | 31 |
| Acknowledgments | 35 |
| Chapter 1 Introduction | 37 |
| Regulatory Approach | 39 |
| Disclaimer | 42 |
| Abbreviations Used in This Book | 42 |
| Chapter 2 The Meaning of “Personal Data” | 45 |
| Introduction — Meaning of the Term “Data” | 46 |
| Definition of “Personal Data” | 47 |
| Paragraph (a) — “Relating Directly or Indirectly to a Living Individual” | 47 |
| Paragraph (b) — “From which it is Practicable for the Identity of the Individual to be Directly or Indirectly Ascertained” | 50 |
| Paragraph (c) — “In a Form in which Access to or Processing of the Data is Practicable” | 52 |
| Consideration of Certain Types of Information | 54 |
| Physical Tracking and Monitoring through Electronic Devices | 61 |
| Identifiability of an Individual — Existing Issues and a Possible Way Forward | 62 |
| Chapter 3 The Meaning of “Collect” | 69 |
| The Eastweek Case | 70 |
| The Meaning of “Collect” | 71 |
| When Does the Use of CCTV for Security or Monitoring Purposes Amount to the Collection of Personal Data? | 74 |
| Information Privacy and Other Privacy Interests | 77 |
| Chapter 4 The Meaning of “Data User” | 83 |
| Meaning of “Data User” with Reference to the Eastweek Case | 84 |
| Meaning of “Data User” with Reference to AAB Cases | 85 |
| Section 2(12) | 87 |
| Meaning of “Person” in the Context of Data User | 89 |
| Joint Data Users | 91 |
| What is the Relationship between a Data User and a Data Processor? | 93 |
| Section 4 | 94 |
| Chapter 5 Data Protection Principle 1 | 97 |
| Overview | 98 |
| The General Requirements of DPP1 | 98 |
| Collection of HKID Card Numbers and Copies of HKID Cards | 100 |
| Collection of HKID Card Numbers for Customer Loyalty Programmes | 107 |
| Collection of HKID Card Numbers by the Property Management Sector | 109 |
| Collection of HKID Card Numbers through Mobile Apps | 110 |
| Collection of Personal Data for Direct Marketing Purposes | 110 |
| Collection of Employees’ Health Data | 111 |
| Collection of Health Data during the COVID-19 Pandemic | 113 |
| Collection of the Criminal Records of Prospective Employees | 114 |
| Collection of a Person’s Whereabouts | 115 |
| DPP1(2) | 116 |
| Collection of Personal Data through Blind Recruitment Advertisements | 118 |
| Collection of Personal Data by Covert Means | 119 |
| Collection of the Activities of Individuals that Take Place inside a Private Residence by Systematic Surveillance and Using a Long-focus Lens | 122 |
| Passive Collection of the Whereabouts of Individuals | 124 |
| Employees Providing Past Medical Records and Consequential Disciplinary Action | 124 |
| Giving Misleading Information to Obtain a Credit Report from a Credit Reference Agency | 125 |
| Collection of Personal Data from the Public Domain | 126 |
| Collection of Biometric Personal Data and Consent | 127 |
| DPP1(3) | 130 |
| Application of DPP1(3) | 131 |
| Obligation Not Absolute — “All Practicable Steps” | 132 |
| Notification Requirements | 134 |
| Purposes of Data Use | 135 |
| The Classes of Persons to Whom the Data May be Transferred | 137 |
| The Right to Request Access to and Correction of the Data | 139 |
| Transparency and Explainability | 140 |
| Requirements on Notification when Collecting Personal Data for Direct Marketing Purposes | 142 |
| Chapter 6 Data Protection Principle 2 | 143 |
| Overview | 144 |
| DPP2(1) | 144 |
| DPP2(2) and Section 26 | 149 |
| Requirements under DPP2(3) and (4): Personal Data Transferred to a “Data Processor” | 159 |
| Data Retention Period — Existing Issues and a Possible Way Forward | 160 |
| Regulation of Data Processors — Existing Issues and a Possible Way Forward | 162 |
| Chapter 7 Data Protection Principle 3 | 163 |
| Overview | 164 |
| The General Requirements of DPP3 | 164 |
| What Does “Use” Mean? | 164 |
| What is a “New Purpose”? | 164 |
| The Original Purpose of Collection | 166 |
| The Purposes of Collection Stated in the PICS | 167 |
| The Lawful Functions and Activities of the Data User | 169 |
| Restrictions of Use Imposed upon Data Users by Data Providers or Data Subjects | 170 |
| Transferring Personal Data between Data Users | 172 |
| Personal Data Collected from the Public Domain | 173 |
| Purposes Directly Related to the Original Purpose of Collection | 179 |
| Avoidance of Disclosing Unnecessary and Excessive Personal Data | 183 |
| Is the Sale of Personal Data a Directly Related Purpose of Use? | 189 |
| Prescribed Consent | 191 |
| Prescribed Consent Given by a Relevant Person | 194 |
| Requirements on Consent for Use when Collecting Personal Data for Direct Marketing Purposes | 196 |
| Chapter 8 Data Protection Principle 4 | 197 |
| Overview | 198 |
| The General Requirements of DPP4 | 198 |
| Data Breaches | 206 |
| Application of DPP4: Storage and Transmission of Data | 226 |
| Outsourcing the Processing of Personal Data to Data Processors | 227 |
| Regulation of “Data Processors” — Existing Issues and a Possible Way Forward | 230 |
| Chapter 9 Data Protection Principle 5 | 231 |
| Overview | 232 |
| The General Requirements of DPP5 | 232 |
| What Should a PPS Include? | 233 |
| PPS Should be Made Generally Available | 234 |
| Other Information to be Made Available | 237 |
| Exercise of the Commissioner’s Enforcement Powers under Section 50 | 238 |
| Chapter 10 Data Protection Principle 6(a) to (d) and the Data Access Provisions in Part 5 | 239 |
| Overview | 240 |
| The Basis of a Data Access Request | 240 |
| What Constitutes a Data Access Request? | 241 |
| Who May Make a Data Access Request? | 243 |
| How to Make a Data Access Request | 245 |
| How and When to Comply with a Data Access Request | 247 |
| Broad and Generic Requests for Personal Data | 249 |
| Steps to be Taken on Failure to Comply with a Data Access Request within the Statutory Period | 253 |
| Language and Format when Responding to a Data Access Request | 254 |
| Data Access Request Made to the Hong Kong Police Force for Criminal Conviction Records | 256 |
| Requested Data Comprising Personal Data of Another Individual | 257 |
| Charge for Complying with a Data Access Request | 259 |
| When Must a Data User Refuse to Comply with a Data Access Request? | 263 |
| When May a Data User Refuse to Comply with a Data Access Request? | 265 |
| Steps to Take in Refusing to Comply with a Data Access Request | 268 |
| Proper Exercise of the Right to Access Personal Data | 270 |
| Chapter 11 Data Protection Principle 6(e) to (g) and the Data Correction Provisions in Part 5 | 275 |
| The Relationship between a Data Correction Request and a Data Access Request | 276 |
| Who Can Make a Data Correction Request and How Should it be Made? | 277 |
| Compliance with a Data Correction Request | 278 |
| Circumstances in which a Data User Shall or May Refuse to Comply with a Data Correction Request | 281 |
| Steps to Take in Refusing to Comply with a Data Correction Request | 285 |
| Chapter 12 Exemption Provisions in Part 8 | 289 |
| Overview | 291 |
| Introduction | 291 |
| Exemptions in General | 292 |
| Section 51A — Performance of Judicial Functions | 294 |
| Section 52 — Domestic Purposes | 295 |
| Sections 53 and 54 — Staff Planning and Employment | 297 |
| Section 55 — Relevant Process | 298 |
| Section 56 — Personal References | 299 |
| Section 57 — Security, etc. in Respect of Hong Kong | 300 |
| Section 58 — Crime, etc. | 302 |
| Section 58A — Protected Product and Relevant Records under Interception of Communications and Surveillance Ordinance | 312 |
| Section 59 — Health | 313 |
| Section 59A — Care and Guardianship of Minors | 316 |
| Section 60 — Legal Professional Privilege | 317 |
| Section 60A — Self-incrimination | 319 |
| Section 60B — Legal Proceedings, etc. | 320 |
| Section 61 — News | 325 |
| Section 62 — Statistics and Research | 330 |
| Section 63 — Exemption from Section 18(1)(a) | 331 |
| Section 63A — Human Embryos, etc. | 332 |
| Section 63B — Due Diligence Exercise | 332 |
| Section 63C — Emergency Situations | 335 |
| Section 63D — Transfer of Records to Government Records Service | 335 |
| Chapter 13 The Commissioner’s Statutory Duties in Investigations | 337 |
| Introduction | 338 |
| The Commissioner’s Statutory Duties of Investigation | 338 |
| Lodging a “Complaint” | 340 |
| Restrictions on Investigations Initiated by a “Complaint” | 345 |
| Discretion of the Commissioner | 349 |
| The Commissioner’s Decision Whether to Carry Out an Investigation | 357 |
| Chapter 14 Data Breach Handling and Notifications | 361 |
| What is a Data Breach? | 362 |
| What Should be Done to Prepare for a Data Breach? | 362 |
| How Should a Data Breach be Handled? | 363 |
| What is a Data Breach Notification? | 367 |
| To Whom Should the Notification be Given? | 368 |
| What Should be Included in the Data Breach Notification? | 368 |
| When Should a Data Breach Notification be Given? | 369 |
| How Should a Data Breach Notification be Given? | 370 |
| Lesson Learnt: Preventing Recurrence | 371 |
| Good Data Breach Handling Makes Good Business Sense | 372 |
| Steps Taken by the Commissioner | 372 |
| Data Breach Handling and Notifications — Existing Issues and a Possible Way Forward | 374 |
| Chapter 15 Criminal Offences | 375 |
| Overview | 376 |
| Direct Marketing Offences | 376 |
| Offences Relating to the Commissioner’s Enforcement Power | 393 |
| Contravention of DPPs — Current Issues and a Possible Way Forward | 398 |
| Offences Relating to the Commissioner’s Investigation Power | 399 |
| Other Offences | 400 |
| Cyber-bullying | 406 |
| Chapter 16 Doxxing | 409 |
| Introduction | 410 |
| Elements of the Offence — Section 64(1) of the Ordinance | 414 |
| Elements of the Offence — Sections 64(3A) and (3C) of Elements of the Offence — Sections 64(3A) and (3C) of | 415 |
| Onward-forwarding of Doxxing Posts | 420 |
| Criminal Investigation and Prosecution Powers | 420 |
| The Commissioner’s Powers to Serve Cessation Notices and Apply for Injunctions | 425 |
| Enforcement Actions Taken by the PCPD after the Amendment Ordinance 2021 Came into Operation | 435 |
| Overseas Experiences and Developments | 437 |
| Chapter 17 Cross-border Transfers of Personal Data from Hong Kong | 439 |
| Overview | 440 |
| Regulation under the Ordinance | 440 |
| Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area | 446 |
| Chapter 18 An Overview of the Mainland’s Personal Information Protection Regime | 449 |
| Introduction | 450 |
| Key Definitions | 453 |
| Principles for Processing Personal Information | 454 |
| Legal Bases for Processing Personal Information | 456 |
| Obligations of Personal Information Processors | 458 |
| Rights of Individuals | 460 |
| Other Specific Requirements | 462 |
| Cross-border Transfer of Personal Information | 464 |
| Enforcement and Legal Liability | 474 |
| The Cybersecurity Law | 477 |
| The Data Security Law | 479 |
| Appendix I Selected Case Notes on Court Judgments | 481 |
| 1. Cathay Pacific Airways Limited v. Administrative Appeals Board & Another [2008] 5 HKLRD 539 (HCAL 50/2008) | 483 |
| 2. Chan Chuen Ping v. The Commissioner of Police [2014] 1 HKLRD 142 (HCMP 2741/2013) | 486 |
| 3. Chan Yim Wah Wallace v. New World First Ferry Services Limited (HCPI 820/2013, Date of Decision: 8 May 2015) | 489 |
| 4. Dr Alice Li Miu-ling v. The Hong Kong Polytechnic University (DCEO 1/2004, Date of Judgment: 1 November 2012) | 494 |
| 5. Eastweek Publisher Limited & Another v. Privacy Commissioner for Personal Data [2000] 2 HKLRD 83 (CACV 331/1999) | 498 |
| 6. HKSAR v. Hong Kong Broadband Network Limited [2018] 2 HKLRD 1049 (HCMA 624/2015, Date of Judgment: 26 January 2017) (on appeal from TWS 6311/2015) | 501 |
| 7. HKSAR v. Leung Chun-kit Brandon (HCMA 49/2016, Date of Judgment: 2 June 2017) (on appeal from ESS 24178/2015) | 508 |
| 8. Junior Police Officers’ Association of the Hong Kong Police Force & Another v. Electoral Affairs Commission & Others [2020] HKCA 352 (CACV 73/2020, Date of Judgment: 21 May 2020) | 516 |
| 9. Lily Tse Lai Yin & Others v. The Incorporated Owners of Albert House & Others (HCPI 828/1997, Date of Decision: 10 December 1998) | 521 |
| 10. M v. M (FCMC 1425/1988, Date of Judgment: 10 June 1997) | 523 |
| 11. Ng Shek Wai v. Medical Council of Hong Kong [2015] 2 HKLRD 121 (HCAL 167/2013) | 526 |
| 12. Oriental Press Group Ltd v. Inmediahk.net Ltd [2012] 2 HKLRD 1004 (HCA 1253/2010) | 530 |
| 13. Secretary for Justice v. Persons unlawfully and wilfully conducting themselves in any of the acts prohibited under paragraph 1(a) and (b) in the indorsement of claim and the Internet Society of Hong Kong Limited [2019] HKCFI 2809 (HCA 2007/2019) | 533 |
| 14. Secretary for Justice & Commissioner of Police v. Persons unlawfully and wilfully conducting themselves in any of the acts prohibited under paragraph 1(A), (B) or (C) in the indorsement of claim [2019] HKCFI 2773 (HCA 1957 of 2019) | 537 |
| 15. Sham Wing Kan v. Commissioner of Police [2020] HKCA 186 (CACV 270/2017, Date of Judgment: 2 April 2020) | 541 |
| 16. Tsang Po Mann v. Tsang Ka Kit and Another [2021] 1 HKLRD 1301 | 545 |
| 17. Tso Yuen Shui v. Administrative Appeals Board (HCAL 1050/2000, Date of Decision: 16 November 2000) | 547 |
| 18. Wu Kit Ping v. Administrative Appeals Board [2007] 4 HKLRD 849 (HCAL 60/2007) | 550 |
| Appendix II Major Differences between the PIPL, the GDPR and the PDPO | 552 |
| Appendix III Checklist for Data Users in Ensuring Compliance with the Ordinance | 561 |
| Appendix IV Data Subject’s Rights when his Personal Data Privacy is Infringed | 565 |
| Conciliation with the Data User | 565 |
| Lodging of a Complaint with the Commissioner under Section 37 | 565 |
| Appeal to the Administrative Appeals Board under Section 9 of the Administrative Appeals Board Ordinance (Cap. 442) | 566 |
| Civil Remedies | 567 |
| Index | 569 |
| List of Court Cases and Administrative Appeals Board Decisions | 587 |
為了保護您的權益,「三民網路書店」提供會員七日商品鑑賞期(收到商品為起始日)。
若要辦理退貨,請在商品鑑賞期內寄回,且商品必須是全新狀態與完整包裝(商品、附件、發票、隨貨贈品等)否則恕不接受退貨。
