Skip to main content

VIII. Complaints, penalties and legal assistance

After receiving a complaint in relation to possible contraventions of the Personal Data (Privacy) Ordinance, the staff of the Office of the Privacy Commissioner for Personal Data (PCPD) would first conduct preliminary enquiries to see if the complainant holds substantial grounds. After preliminary enquiries into the complaint, the PCPD may inform the complainant of its preliminary views and ask the opposite party to take remedial action to resolve the issues surrounding the complaint.


If the dispute cannot be resolved by mediation, the PCPD may conduct a formal investigation. If the complaint involves suspected contravention of a serious nature, the PCPD would immediately conduct a formal investigation instead of making preliminary enquiries. If after investigation it is found that there are contraventions on the part of the data user, an enforcement notice would be served on that data user by the PCPD directing him/her to take any necessary remedial action. Data users who do not comply with the PCPD's enforcement notice commit an offence and are liable to a fine or imprisonment. The PCPD can also instigate prosecution action under the Ordinance. The time for preparing information for prosecution was extended from six months to two years from the date of the commission of the offence.


If a data subject suffers damage (including injury to feelings) as a result of a contravention of the Ordinance by a data user, the data subject can sue the data user for compensation through civil proceedings. Under the Ordinance, the PCPD can grant legal assistance to that person.




Data subjects should first lodge a complaint with the data user who does not handle his or her personal data in accordance with the Ordinance.


If the alleged offender fails to give a satisfactory reply and the data subject decides to lodge a complaint with the PCPD, the complainant is advised to first learn about the complaint-handling policy of the PCPD. For details, please visit the PCPD webpage on this policy or call its hotline at 2827 2827.


The complaint procedure, accompanied by a flowchart, can be found on the PCPD website. Complainants should note that the time limit for lodging a complaint is two years from the date of their actual knowledge of the privacy-intrusive act or practice, but it is recommended that they lodge the complaint as soon as possible.


For complaints lodged regarding a suspected “doxxing” offence under section 64, the PCPD would conduct a preliminary review of the case. If the case involves the second-tier offence under section 64(3C) of the Ordinance, it will be referred to the Police for follow up and the Secretary for Justice for consideration of prosecution. For other cases which may involve section 64(1) or the first-tier offence under section 64(3A), the PCPD may conduct an investigation into such offences pursuant to section 66C. It may institute summary prosecution of these cases in the PCPD’s own name. After completion of the investigation, the PCPD will inform the complainant of the result of the investigation.




Under section 50 of the Ordinance, the PCPD has wider power to serve enforcement notices. If he finds a contravention of a requirement under the Ordinance, the PCPD can serve an enforcement notice on the data user concerned to direct it to take the necessary steps to remedy the contravention, irrespective of whether the contravention will continue or be repeated.


Any data user who fails to comply with the PCPD's enforcement notice commits an offence and is liable to a fine at level 5 (currently $50,000) and to imprisonment for two years on first conviction. The Ordinance provides for a heavier penalty for a second and subsequent conviction for contravening an enforcement notice. The penalty is a fine at level 6 (currently $100,000) and imprisonment of two years and, in the case of a continuing offence, a daily fine of $2,000. (Section 50A(1))


If data users comply with an enforcement notice issued against them within a specified period, and subsequently intentionally commit the same offence, they are liable to a fine of $50,000 and to imprisonment for two years and, in the case of a continuing offence, a daily fine of $1,000. (Section 50A(3))


For more details of other offences under the Ordinance, please refer to section 64 of the Ordinance.




If data subjects suffer any damage caused by a data user in contravention of the requirements under the Ordinance, they can make a civil claim for compensation from the data user for the damage: i.e. sue the data user in a court (section 66). However, the data subject may have difficulty in pursuing the lawsuit because some cases may be more complex and may incur considerable legal costs and expenses. In view of this, section 66B of the Ordinance authorises the PCPD to grant legal assistance to aggrieved individuals seeking such compensation.

This legal assistance takes the form which the PCPD considers most appropriate, including but not limited to the following: 


  • giving advice;
  • mediation;
  • arranging for advice or assistance from a solicitor or counsel; or
  • arranging for representation by any person, including such assistance as is usually given by a solicitor or counsel, in the steps preliminary or incidental to any proceedings, or in arriving at or giving effect to a compromise to avoid or bring to an end any proceedings.


The assistance may be rendered through the PCPD’s legal staff or external lawyers engaged by the PCPD on behalf of the person seeking legal assistance. The PCPD’s legal staff will advise the individual independently without any influence from anyone else.


The PCPD will normally bear the cost of legal assistance. If the assisted person is successful in the claim for compensation, and in recovering the costs and expenses related to the claim, whether through legal proceedings or any other settlement, the PCPD has the first charge on such costs and expenses payable to the assisted person (i.e. the payment will be used to settle the PCPD’s legal costs or expenses first).


Data subjects seeking legal assistance should normally lodge a complaint against the relevant data user with the PCPD before applying for legal assistance. They should meet the abovementioned requirements during the complaint-handling process, providing all information to the PCPD. They may lodge an application for legal assistance after the PCPD concludes the complaint. All applications must be made on the PCPD’s Application Form.

The PCPD may grant assistance if he thinks fit to do so. In exercising his discretion, the PCPD will consider a series of factors, including in particular:

  • whether the case raises a question of principle; or


  • whether it is unreasonable, having regard to the complexity of the case or the applicant’s position in relation to the respondent or another person involved or any other matter, to expect the applicant to handle the case unaided.


The PCPD lists the factors that he may take into account in the Leaflet entitled “Legal assistance for civil claims under the Personal Data (Privacy) Ordinance”.


Normally, an applicant for legal assistance will be informed of the result within three months after submitting all the relevant information for the application. If the PCPD decides to grant assistance, the applicant will be asked to sign an agreement which sets out the terms and conditions under which the assistance will be given. If the PCPD refuses the application, the applicant will be notified in writing with reasons.


At any stage of the provision of legal assistance, the PCPD may use his discretion to review his decision to grant assistance and discontinue such assistance. The leaflet provides the circumstances under which legal assistance may be discontinued, including, in particular, a situation in which the applicant knowingly gives false or misleading information to the PCPD.


The Ordinance provides no right of appeal against the PCPD’s decision to refuse to grant legal assistance or to discontinue such assistance. However, if there is any material change of circumstances, the PCPD may review, at his discretion, his decision upon receiving a written request from the applicant. His review decision is final.