Global menu

Our global pages


Data Privacy Implications of the use of CCTV Footage in the press

  • Hong Kong
  • Privacy, data protection and cybersecurity - GDPR


On 16 April 2019, a controversial 16-minute video containing footage of a what is believed to be a taxi journey taken by two Hong Kong celebrities, Andy Hui Chi-on and Jacqueline Wong, was published on the website of a local newspaper. This publication has sparked a renewed debate concerning the data privacy principles that apply to video footage captured hidden cameras and CCTV systems. In particular,

  1. When is it permissible to install CCTV systems; and
  2. How can the video footage captured by such systems be used?

A Right to Privacy?

The right to privacy is protected in Hong Kong by Article 14 of the Bill of Rights Ordinance (Cap 383) which provides that “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” On its face, this provides a relatively strong safe guard against an individual’s privacy being infringed.

However, the Bill of Rights Ordinance often does not provide individuals who have suffered from a breach of privacy with a remedy as it is limited in application: its provisions are binding only on government bodies or public authorities (or individuals acting on their behalf).


Unlike the Bill of Rights Ordinance, the Personal Data (Privacy) Ordinance (Cap 486) (“PDPO”) has general application. Its objective is to protect the privacy rights of a person in relation to their personal data. It does not protect privacy in general.

Many the recordings of CCTV systems in public and semi-public areas will not capture “personal data” within the meaning of the PDPO, particularly if the quality of the footage is insufficient to identify individuals. The PDPO applies only to data that can be used to identify a living individual. However, in the footage captured of Mr Hui and Ms Wong their identities were directly disclosed, and where a CCTV installation is used to collect or compile information about identified persons the six data protection principles of the PDPO will apply.

The most relevant principles are:

  • Principle 1: personal data must be collected for a lawful purpose, must not be excessive and must directly relate to a function or activity of the data user (the person collecting the data); and
  • Principle 2: the data user must ensure data accuracy and that there is no excessive retention of personal data.
  • Principle 3: personal data shall only be used for the purposes for which it was collected or a directly related purpose, in the absence of consent.

Possible lawful purposes within the meaning of Principle 1 might include the use of CCTV for deterring or detecting specific or repeated criminal activity. In the context of a taxi, a possible lawful purpose might therefore be to install a video camera for security or safety reasons. However, in such circumstances, the PDPO requires that any personal data collected must be "adequate and not excessive”. Individuals or companies installing CCTV systems should therefore take care to ensure that the intrusion into an individual’s privacy is minimised.

If the hurdle imposed by Principle 1 can be satisfied, the obligations imposed by Principles 2 and 3 place limitations on the manner in which data can be used and retained. In particular, personal data should be deleted as soon as practicable once the purpose of the collection is fulfilled. If CCTV is installed for security purposes, video footage should be routinely deleted if no incident of security concern is reported. In the context of a taxi journey, this might be as soon as practicable after the journey has concluded or at the end of each shift.

Further, absent consent, personal data can only be used for the purpose for which it was collected. If a CCTV system is installed for security purposes, it can only be used for this purpose and generally, this will not permit the data to be transferred to third parties.

Offences under the PDPO

The Privacy Commissioner for Personal Data (the “Commissioner”) may carry out an inspection of any personal data system used by a data user following receipt of a complaint. If the Commissioner is satisfied that the relevant data user is in contravention of the PDPO, it may then serve an enforcement notice in writing directing the data user to remedy and prevent any recurrence of the contravention. A breach of an enforcement notice is a criminal offence.

Because a criminal offence is committed only if and when there is non-compliance with an enforcement notice, this means that in many cases, notwithstanding a breach of the PDPO, the Commissioner has limited powers to take action against first time offenders, irrespective of the gravity of the breach.

Even where non-compliance can be prosecuted, the maximum fine that can be imposed is only HK$ 50,000 and two years’ imprisonment (plus a daily fine of HK$ 1,000 if the offence continues). If a data user has breached more than one enforcement notice, then the maximum fine goes up to HK$ 500,000 and 3 years’ imprisonment. This compares poorly with the EU General Data Protection Regulation ("GDPR") that came into force on 25 May 2018. The GDPR imposes fines of up to 4% of the annual global turnover of a data controller or EUR 20 million, whichever is higher.

The media sector will undoubtedly be watching the Commissioner’s next step with respect to the publication of the Hui/Wong footage carefully as may result in it seeking to distinguish the principles in Eastweek Publisher Ltd & Another v Privacy Commissioner for Personal Data [2000] 2 HKLRD 84. In that case, photos were published of women in Hong Kong, taken without consent on the street, as part of an article commenting on their fashion sense. In Eastweek, the Court of Appeal determined that no contravention of the PDPO had occurred as the photographs were not personal data. It reached this conclusion on the basis that the photographer was not compiling information about an identified person or about a person whom the photographer intended or sought to identify. In the present case, the identity of those in the video footage was clearly established (and not merely because the celebrities were recognisable).

The more private future?

The publication of the Hui/Wong video has already thrown substantial attention on the adequacy of Hong Kong’s privacy legislation. This follows a series of high profile data privacy incidents in 2018 which resulted in many commentators raising concerns that Hong Kong’s data privacy legislation, which was best in class when it was enacted in 1996, is now falling behind global best practice such as the GDPR and legislation in Japan.

The Commissioner appears to recognise that legislative changes may be required and has already announced that he will carry out a review of the PDPO in order to recommend potential changes. Any changes that are proposed are unlikely to result in speedy changes to the PDPO itself. A similar review took more than three years from the issuance of a consultation document until legislative change occurred.