Hong Kong Issues New PCPD Guidance and Leaflets on CCTV, Drones and In-vehicle Cameras

The Office of the Privacy Commissioner for Personal Data ("PCPD") updated the Guidance on the Use of CCTV Surveillance (the "CCTV Guidance") and issued a new Guidance on the Use of Video Cameras on Drones and Vehicles (the "Drones and Vehicles Guidance") (collectively, the "Guidance"), accompanied by two practical information leaflets. The Guidance reflects the rapid uptake of smart surveillance technologies and the government's plan to develop a low-altitude economy as well as the installation of in-vehicle cameras in all taxis to promote quality of taxi services. 

While surveillance technologies provide clear operational and safety benefits, their use frequently involves the processing of personal data and must therefore comply with the Personal Data (Privacy) Ordinance ("PDPO"). The Guidance is designed to help organisations and individuals deploy these technologies responsibly, lawfully and transparently, while being mindful of the need to address core principles of data privacy relating to necessity, proportionality, notice, retention and security of data.

Scope and Applicability

Where CCTV installations, in-vehicle cameras, or drones equipped with video capability capture and store images or audio from which an individual can be identified, the use of such technologies will likely involve the collection and processing of personal data and the PDPO (including the six Data Protection Principles ("DPP")) will apply.

Necessity, Proportionality and Data Minimisation

The installation of CCTV must be for a lawful purpose directly related to the data user’s function or activity and should be properly justified. CCTV should not be installed where individuals have a reasonable expectation of privacy, such as changing rooms, bathrooms or private rest areas. Covert surveillance or the use of pinhole cameras should only be contemplated with strong justification and as a last resort.

Before deployment, data users should assess whether cameras are truly necessary to address a defined problem and whether less privacy-intrusive alternatives could achieve the same objective. The PCPD recommends an objective pre-installation assessment that weighs the severity of the problem, the likely effectiveness of surveillance in addressing the problem, and the degree of intrusion into privacy. Data users should opt for lower-resolution recording if high-resolution imaging of detailed facial features is unnecessary, and disable audio recording, facial recognition and individual-tracking functions unless there is a clearly justified and compelling need to do so. 

The PCPD also encourages data users to conduct a privacy impact assessment before using a CCTV surveillance system to identify privacy risks and devise operational and technical measures to prevent or mitigate such risks.

The same principles apply to in-vehicle cameras and camera-equipped drones. Drone operators should plan flight paths and pre-define recording criteria (what, where, when, and quality/resolution of footage) to avoid excessive collection, and consider using privacy-enhancing technologies that automatically blur or mask facial images. For inward-facing cameras, data users should consider restricting recording functions so that they will only be activated when the vehicle is in motion, and should also avoid blanket, continuous video and audio recording unless there is adequate justification. 

Transparency and Notice

Pursuant to DPP1(3), individuals should be clearly notified that they are under CCTV surveillance. For fixed CCTV, data users should place conspicuous notices in the vicinity of monitored areas, especially where cameras are discreetly placed or in locations where surveillance may not be anticipated. Notices should include information about the data user, provide contact details for privacy queries and state the purpose(s) of the surveillance.  

In practice, it is more challenging for drones to achieve transparency given their mobility and altitude. The PCPD suggests a combination of measures: pre-announcements in affected areas or via public channels, posting notices at launch sites with QR codes with links to a Personal Information Collection Statement and/or privacy policy, using flashing lights to indicate the use of drones, marking drones with the operator'’s logo,  and requiring crew members to wear clothing that identifies the data user. 

As far as taxis and other passenger-carrying vehicles are concerned, transparency is especially important because of the higher expectation of privacy in small, confined spaces. Notices can be placed on the exterior of the vehicle or in conspicuous locations inside the vehicle, such as on dashboards or the back of headrests. 

Retention, Deletion and Purpose Limitation

Under DPP2(2), personal data must not be kept longer than necessary for the purposes for which it was collected. Recordings should be regularly and securely deleted if no incident is discovered or reported. Data users should also establish and enforce clear retention policies tailored to their use case. Where contractors are involved in maintaining systems and have access to footage, data users must adopt contractual or other means to ensure data is not retained longer than necessary.

Data users should limit use to the original purpose or a directly related purpose unless the data subject has given express and voluntary consent, or a statutory exemption applies. Notably, sharing footage online or using recordings for unrelated purposes without consent is prohibited under DPP3. The CCTV Guidance reminds users of the doxxing offence under the PDPO which includes the disclosure of personal data of another person without consent where the discloser intends to cause, or is reckless as to causing, specified harm.

Security and Accountability

DPP4(1) requires all practicable steps are taken by a data user to protect personal data against unauthorised or accidental access, processing, erasure, loss or use. The CCTV Guidance highlights the fact that recordings should be stored in encrypted form at rest and in transit. Physical security of storage media is essential, and drives should be kept in locked facilities with restricted access. In addition, access logging should be implemented to track who has viewed, copied or transferred footage. For in-vehicle cameras, the Guidance recommends the use of non-removable solid-state storage media (instead of removable media such as memory cards) and implementing appropriate access control measures. For drones, data users are advised to encrypt wireless transmission of their footage, ensure secure storage and restrict access in case the drone is lost or stolen. 

There is a reminder to data users to ensure appropriate controls where third-party service providers are involved. Contracts should include obligations on security, retention, access, and breach reporting. Data users should also maintain clear policies and procedures to ensure staff are trained on permitted use of surveillance technologies and the handling of footage.

Exemptions and Interactions with Other Regimes

The PDPO contains exemptions that may permit use of personal data for new purposes without prescribed consent in certain circumstances, including for the prevention or detection of crime or the prevention or remedying of unlawful or seriously improper conduct. In practice, these exemptions are commonly engaged when law enforcement seeks access to CCTV, drone footage, or in-vehicle recordings that capture suspected criminality or the appearance of suspects and could assist ongoing investigations. Data users should document their assessments of the reliance on these exemptions and ensure that such reliance is supported by clear justification. 

The operation of drones is regulated under the Small Unmanned Aircraft Order (Cap. 448G), which establishes a registration system and has provisions relating to training, operational, equipment and insurance requirements. Depending on the risk level of drones, their use may require prior approval from the Civil Aviation Department. Operators of drones must comply with both the aviation regime and the PDPO when using drones in Hong Kong.

Key Takeaways

Companies planning to use surveillance technologies should take heed of the new PCPD Guidance and consider conducting a privacy impact assessment before deployment to identify risks, define scope and operational parameters, and set out proportionate mitigating measures. It is also essential to establish clear policies and protocols for access to and the handling of recordings, as well as for retention and security, approval workflows for disclosure. This goes hand-in-hand with the formulation of a consistent approach to handling third‑party requests (including from law enforcement).

Finally, periodic compliance reviews should be considered in order to confirm the continuing necessity and proportionality of surveillance, the effectiveness of controls, and whether less intrusive alternatives are available.

The authors would like to thank Roslie Liu, Legal Practice Assistant at Mayer Brown Hong Kong LLP, for her assistance with this Legal Update.