Watching eyes everywhere: Hong Kong’s new privacy guidance for CCTVs, drones, and in-vehicle cameras
Introduction
The Office of the Privacy Commissioner for Personal Data (“PCPD”) has recently released updated guidance documents: an updated Guidance on the Use of CCTV Surveillance and a new Guidance on the Use of Video Cameras on Drones and Vehicles (collectively, the “Updated Guidance Documents”). These documents are accompanied by practical information leaflets and reflect the current regulatory environment as Hong Kong advances initiatives including the planned installation of cameras in all taxis by 2026 and the development of a low-altitude drone economy.
Critically, the Updated Guidance Documents do not establish new legal obligations. Rather, they clarify how existing provisions of the Personal Data (Privacy) Ordinance, Cap 486 (“PDPO”) – specifically the six Data Protection Principles of the PDPO – apply to modern surveillance technologies and operational scenarios. Organizations deploying cameras in any context should understand that compliance is mandatory under existing law, and the PCPD’s guidance provides the interpretative framework through which enforcement will occur.
Factual context: Recent enforcement example
Shortly after the PCPD released its guidance, the privacy watchdog issued a warning to a local fitness facility regarding a mispositioned CCTV camera that risked recording the facility’s men’s restroom. This enforcement action illustrates the PCPD’s active monitoring and enforcement posture regarding camera placement and demonstrates that privacy compliance failures – even those that may appear technical in nature – will trigger regulatory intervention.
CCTV systems: Installation and deployment standards
The CCTV guidance note emphasizes that CCTV installation must be justified by a lawful purpose directly related to the data user’s function or activity. Organizations should conduct a pre-installation assessment that objectively weighs three factors: the severity of the problem the CCTV is intended to address; the likelihood that surveillance will effectively address that problem; and the degree of privacy intrusion resulting from the proposed installation.
Cameras must not be installed in locations where individuals have a reasonable expectation of privacy, including changing rooms, bathrooms, and private rest areas. Covert surveillance and pinhole camera deployment are permissible only as a last resort and only where strong justification for privacy breach exists.
Where high-resolution imaging of facial features is not necessary for the intended purpose, lower-resolution recording is required. Similarly, audio recording, facial recognition functionality, and individual-tracking capabilities should be disabled unless there is clear and compelling justification for their activation. Organizations are encouraged to conduct a formal privacy impact assessment before system deployment to identify privacy risks and establish operational and technical mitigation measures.
Transparency, security and data retention
Individuals under surveillance must be clearly notified of that fact. Conspicuous notices must be placed in the vicinity of monitored areas, particularly where cameras are discreetly positioned or in locations where surveillance may not be anticipated. Notices must identify the data user, provide contact details for privacy enquiries, and state the purpose or purposes of the surveillance. Furthermore, personal data must not be retained longer than necessary for the purposes for which it was collected and all practicable steps must be taken to protect recordings against unauthorised or accidental access, processing, erasure, loss, or use.
It is important that data use is limited to the original purpose or directly related purposes unless the data subject has given express and voluntary consent or a statutory exemption applies. Notably, sharing footage online or using recordings for purposes unrelated to the original purpose without consent violates the PDPO. The PDPO also provides a specific criminal offence for “doxxing” – the disclosure of another person’s personal data without consent where the discloser intends to cause, or is reckless as to causing, specified harm.
Drone operations: Flight planning and data protection
Organizations deploying drones equipped with video cameras must plan flight paths in advance and pre-define recording criteria, including what will be recorded, where recording will occur, when recording will occur, and the quality or resolution of footage. This pre-planning requirement is designed to prevent excessive collection of personal data.
Privacy-enhancing technologies that automatically blur or mask facial images should be considered and implemented where feasible. Wireless transmission of footage must be encrypted. Data storage must be secure, and access of such data must be restricted. Organizations should be aware that lost or stolen drones present particular data security risks; appropriate safeguards must be implemented to prevent unauthorised access to stored footage.
Notice for drone operations
Given the mobility and altitude of drones, achieving transparency presents practical challenges. The PCPD recommends a combination of measures: pre-announcements of drones use and passage in affected areas or via public channels; notices posted at launch sites that include QR codes linking to a Personal Information Collection Statement and/or privacy policy; flashing lights on drones to indicate their operation; drones marked with the operator’s logo or identifying information; and crew members wearing identifiable clothing indicating the data user’s identity.
In-vehicle camera systems:
Taxi and passenger-carrying vehicles
The government’s plan to install cameras in all taxis by 2026 reflects a policy initiative to promote taxi service quality. However, such systems must comply with the PDPO. Passenger-carrying vehicles present a heightened privacy expectation due to the confined nature of the space and the involuntary presence of passengers.
Organizations should consider restricting recording functions so that inward-facing cameras activate only when the vehicle is in motion, and such footage and recordings must be securely stored to prevent leaks. As one may expect, transparency is particularly important in the vehicle context and notices should be placed on the exterior of the vehicle or in conspicuous interior locations such as on dashboards or the back of headrests.
Recommended compliance actions
Organizations currently operating or planning to deploy surveillance systems should undertake the following steps:
1. Assess the necessity of cameras before deployment;
2. Perform comprehensive privacy assessments to identify and mitigate risks;
3. Ensure transparency through clear and conspicuous notices and policies;
4. Establish data minimization practices limiting collecting to necessary data;
5. Deploy encryption and access control measures to secure data;
6. Establish document retention and deletion policies; and
7. Provide staff training on permissible uses of data and surveillance technologies.
Conclusion
The PCPD’s guidance provides a clear compliance roadmap for organizations deploying surveillance systems. The recent enforcement action against the fitness facility confirms that the PCPD will actively monitor deployments and take action when violations occur. Organizations currently operating surveillance systems are advised to conduct comprehensive compliance reviews and implement corrective measures to ensure alignment with the guidance framework.
For enquiries, please feel free to contact us at: |
|
E: technology@onc.hk T: (852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong |
|
Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors. |
|
Published by ONC Lawyers © 2025 |
