Proxy Use and Privacy Laws in Hong Kong
Using proxy servers is legal in Hong Kong, but several laws govern how proxies may be used and what data organisations may collect through them. Here's what you need to know.
Using proxy servers is legal in Hong Kong, but several laws govern how proxies may be used and what data organisations may collect through them. Here's what you need to know.
Using a proxy server is entirely legal in Hong Kong. There is no legislation in the Hong Kong Special Administrative Region that prohibits the use of proxy servers, VPNs, or other traffic-routing technologies by individuals or organisations. This distinguishes Hong Kong from mainland China, where the use of non-approved VPNs and proxy services is technically illegal under the Cybersecurity Law and various internet regulations enforced by the Ministry of Industry and Information Technology. As of 2026, Hong Kong maintains its own distinct legal system and internet regulatory framework.
The National Security Law (NSL) enacted in June 2020 created some uncertainty about the trajectory of internet regulation in Hong Kong. However, as of the time of writing, the NSL has not been applied to proxy or VPN use itself — it concerns acts of secession, subversion, terrorism, and collusion with foreign forces, not the technical means of internet access. Using a proxy for lawful purposes — privacy protection, accessing geo-restricted content, business data collection, and network security — remains entirely within the law. Using a proxy to facilitate illegal acts remains illegal as it would be without a proxy.
Businesses operating proxy infrastructure in Hong Kong must comply with relevant telecommunications and data protection regulations. Operating a commercial proxy service that provides access to others requires appropriate business licensing. Proxy services that handle personal data must comply with the Personal Data (Privacy) Ordinance (PDPO) — Hong Kong's primary data protection legislation, which regulates the collection, retention, use, and disclosure of personal data. The PDPO applies to any organisation that collects or processes personal data in or from Hong Kong, including proxy providers with HK-based operations.
The Personal Data (Privacy) Ordinance (Cap. 486) is Hong Kong's comprehensive data protection law, administered by the Privacy Commissioner for Personal Data (PCPD). It governs how personal data — any data that relates to an identifiable living individual — is collected, held, processed, used, and disclosed. For proxy users and operators, the PDPO has several relevant implications that are important to understand, particularly as the PDPO was substantially strengthened with amendments that came into force in October 2021.
For organisations using proxies to collect data from websites, the PDPO's Data Protection Principle 1 (DPP1) is particularly relevant: personal data may only be collected for a lawful purpose directly related to the function or activity of the data user, and collection must be adequate but not excessive relative to that purpose. If your proxy-based web scraping collects personal data — names, email addresses, phone numbers, or any data identifying individuals — you must have a specific lawful purpose and must not collect more personal data than that purpose requires. The PCPD has published guidance on web scraping and data collection that clarifies these requirements.
The 2021 PDPO amendments introduced provisions specifically addressing the misuse of personal data in doxxing — publishing private information about individuals without consent with the intent to harm. These provisions have enforcement implications for proxy-based data collection operations that aggregate and publish personal data about private individuals. Collecting personal data through proxies and publishing it in ways that could facilitate harassment or identify individuals without consent potentially constitutes a criminal offence under the amended PDPO, with penalties including fines and imprisonment. Legitimate business data collection from public sources that doesn't enable individual identification is generally outside the scope of these provisions.
The Crimes Ordinance (Cap. 200) and the Telecommunications Ordinance (Cap. 106) together form the primary legislative framework governing computer-related offences in Hong Kong. Section 27A of the Crimes Ordinance criminalises unauthorised access to computer systems and programs. Using a proxy to gain unauthorised access to computer systems — bypassing access controls, scraping password-protected content, or accessing systems you are not authorised to use — is a criminal offence regardless of whether a proxy is used. The proxy does not provide legal cover for unauthorised computer access.
Website scraping of publicly accessible content without login requirements is generally not "unauthorised access" under Section 27A — the content is publicly accessible to any internet user, and using a proxy or automated tool to access it doesn't constitute hacking into a protected system. However, using proxies to bypass a website's technical access controls (CAPTCHAs that gate access, login requirements, IP blocking implemented as explicit access restrictions) may move into legally questionable territory. The legal boundaries are not definitively settled in HK court precedent for web scraping specifically, and the analysis varies based on the specific facts of each situation.
The Copyright Ordinance (Cap. 528) is another relevant consideration for proxy users accessing streaming content. Using a proxy to access streaming content in a region where you don't hold a valid licence, or accessing content that isn't available in Hong Kong due to copyright licensing restrictions, may constitute a technical violation of the copyright holder's exclusive rights, though enforcement against individual consumers for personal viewing is historically rare and primarily focuses on commercial infringement. Being aware of these potential legal boundaries is appropriate, even if the practical enforcement risk for personal non-commercial use is low.
For personal proxy use — protecting your privacy when browsing, accessing geo-restricted content, and securing your traffic on public WiFi — no special legal precautions are needed beyond using the technology for lawful personal purposes. Using a quality paid proxy or VPN service from a reputable provider for these everyday purposes is entirely straightforward legally in Hong Kong. You have no obligation to disclose your use of privacy tools to any party, and there is no requirement to use an unencrypted or unproxied connection for lawful personal internet use.
For business proxy use, particularly data collection operations, implementing a compliance framework is advisable. This includes documenting your data collection purposes and legal basis, establishing data retention policies, reviewing robots.txt compliance, avoiding collection of personal data unless specifically required and legally justified, and ensuring any personal data collected is held securely and for no longer than necessary. For operations collecting significant volumes of data from websites, having a lawyer review the operation against PDPO requirements and the Crimes Ordinance is valuable insurance against regulatory risk.
When using proxies to collect data from websites based in other jurisdictions, you may also need to consider the data protection laws of those countries. The GDPR applies to the personal data of EU residents regardless of where the data processor is located — a Hong Kong company scraping personal data of European users through proxies may be subject to GDPR requirements including lawful basis for processing, privacy notices, and data subject rights. Similarly, the California Consumer Privacy Act (CCPA) applies to California residents' personal data. Multinational proxy data operations require a genuinely international compliance analysis, not just consideration of HK law.
