VI. Complaints, penalties and legal assistance

After receiving a complaint in relation to possible contraventions of the Personal Data (Privacy) Ordinance , the staff of the Office of the Privacy Commissioner for Personal Data (PCPD) would first conduct preliminary enquires to see if the complainant holds substantial grounds. After preliminary enquiries into the complaint, the PCPD may inform the complainant of its preliminary views and ask the opposite party to take remedial action to resolve the issues surrounding the complaint.

If the dispute cannot be resolved by mediation, the PCPD may conduct a formal investigation. If the complaint involves suspected contravention of a serious nature, the PCPD would immediately conduct a formal investigation instead of making preliminary enquiries. If after investigation it is found that there are contraventions on the part of the data user, an enforcement notice would be served on that data user by the PCPD directing him/her to take any necessary remedial action. Data users who do not comply with the PCPD’s enforcement notice commit an offence and are liable to a fine or imprisonment. The Commissioner can also instigate prosecution action. Under the amended Ordinance. The time for preparing information for prosecution was extended from six months to two years from the date of the commission of the offence.

If a data subject suffers damage (including injury to feelings) as a result of a contravention of the Ordinance by a data user, the data subject can sue the data user for compensation through civil proceedings. Under the amended Ordinance, the Commissioner can grant legal assistance to that person.

A. Complaint-handling policy and complaint procedures

Data subjects should first lodge a complaint with the data user who does not handle his or her personal data in accordance with the Ordinance.

If the alleged offender fails to give a satisfactory reply and the data subject decides to lodge a complaint with the PCPD, the complainant is advised to first learn about the complaint-handling policy of the PCPD. For details, please visit the PCPD webpage on this policy or call its hotline at 2827 2827.

The complaint procedure, accompanied by a flowchart , can be found on the PCPD website. Complainants should note that the time limit for lodging a complaint is two years from the date of their actual knowledge of the privacy-intrusive act or practice, but it is recommended that they lodge the complaint as soon as possible.

B. Enforcement notice and penalties

Under section 50 of the amended Ordinance, the Commissioner has wider power to serve enforcement notices. If he finds a contravention of a requirement under the Ordinance, the Commissioner can serve an enforcement notice on the data user concerned to direct it to take the necessary steps to remedy the contravention, irrespective of whether the contravention will continue or be repeated.

Any data user who fails to comply with the PCPD’s enforcement notice commits an offence and is liable to a fine at level 5 (currently $50,000) and to imprisonment for two years. The amended Ordinance provides for a heavier penalty for a second and subsequent conviction for contravening an enforcement notice. The penalty is a fine at level 6 (currently $100,000) and imprisonment of two years and, in the case of a continuing offence, a daily fine of $2,000. ( Section 50A(1) )
If data users comply with an enforcement notice issued against them within a specified period, and subsequently intentionally commit the same offence, they are liable to a fine of $50,000 and to imprisonment for two years and, in the case of a continuing offence, a daily fine of $1,000. ( Section 50A(3) )

For more details of other offences under the Ordinance, please refer to section 64 of the Ordinance.

C. Legal assistance

If data subjects suffer any damage caused by a data user in contravention of the requirements under the Ordinance, they can make a civil claim for compensation from the data user for the damage: i.e. sue the data user in a court ( section 66 ). However, the data subject may have difficulty in pursuing the lawsuit because some cases may be more complex and may incur considerable legal costs and expenses. In view of this, section 66B of the amended Ordinance authorises the Commissioner to grant legal assistance to aggrieved individuals seeking such compensation.
This legal assistance takes the form which the Commissioner considers most appropriate, including but not limited to the following:

  • giving advice;
  • mediation;
  • arranging for advice or assistance from a solicitor or counsel; or
  • arranging for representation by any person, including such assistance as is usually given by a solicitor or counsel, in the steps preliminary or incidental to any proceedings, or in arriving at or giving effect to a compromise to avoid or bring to an end any proceedings.

The assistance may be rendered through the Commissioner’s legal staff or external lawyers engaged by the Commissioner on behalf of the person seeking legal assistance. The Commissioner’s legal staff will advise the individual independently without any influence from anyone else.

The Commissioner will normally bear the cost of legal assistance. If the assisted person is successful in the claim for compensation, and in recovering the costs and expenses related to the claim, whether through legal proceedings or any other settlement, the Commissioner has the first charge on such costs and expenses payable to the assisted person (i.e. the payment will be used to settle the Commissioner’s legal costs or expenses first).

Data subjects seeking legal assistance should normally lodge a complaint against the relevant data user with the Commissioner before applying for legal assistance. They should meet the abovementioned requirements during the complaint-handling process, providing all information to the PCPD.They may lodge an application for legal assistance after the Commissioner concludes the complaint. All applications must be made on the PCPD’s Application Form .

The Commissioner may grant assistance if he thinks fit to do so . In exercising his discretion, the Commissioner will consider a series of factors, including in particular:

  • whether the case raises a question of principle; or
  • whether it is unreasonable, having regard to the complexity of the case or the applicant’s position in relation to the respondent or another person involved or any other matter, to expect the applicant to handle the case unaided.

The Commissioner lists the factors that he may take into account in the Leaflet entitled “Legal assistance for civil claims under the Personal Data (Privacy) Ordinance” .

Normally, an applicant for legal assistance will be informed of the result within three months after submitting all the relevant information for the application. If the Commissioner decides to grant assistance, the applicant will be asked to sign an agreement which sets out the terms and conditions under which the assistance will be given. If the Commissioner refuses the application, the applicant will be notified in writing with reasons.

At any stage of the provision of legal assistance, the Commissioner may use his discretion to review his decision to grant assistance and discontinue such assistance. The leaflet provides the circumstances under which legal assistance may be discontinued, including, in particular, a situation in which the applicant knowingly gives false or misleading information to the Commissioner.

The Ordinance provides no right of appeal against the Commissioner’s decision to refuse to grant legal assistance or to discontinue such assistance. However, if there is any material change of circumstances, the Commissioner may review, at his discretion, his decision upon receiving a written request from the applicant. His review decision is final.