Day: February 1, 2025

The volume of cross-border data flow is rising rapidly. Whether the flow of information will have positive or negative impacts on data protection in Hong Kong will largely depend on how well we prepare for the new realities and challenges. Against this backdrop, the Greater Bay Area International Information Technology Industry Association (GBAITA) and Institute of Big Data Governance (iBDG) have launched an international data industry alliance to promote Hong Kong as a hub for global data governance and establish the city as a global leader in this area.

The alliance will encourage mainland and overseas businesses to gather in Hong Kong, promote cooperation between local enterprises and foreign business groups, foster talent in data analytics and enhance the city’s overall competitiveness in the international arena. It will also work to promote Hong Kong’s role in advancing global data ethics.

In this regard, the Hong Kong Privacy Commissioner for Personal Data has published two sets of recommended model contractual clauses. The first set addresses the transfer of personal data from a Hong Kong entity to an entity outside Hong Kong, and the second address the transfer of personal data from a Hong Hong entity to a data processor.

One important point to note is that the PDPO defines “personal data” as information relating to an identifiable person. This definition is consistent with the definition used in other legislative regimes, such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area.

If a person acquires personal data, that triggers a range of statutory obligations to fulfil under the PDPO, including compliance with its six data protection principles (“DPPs”). This includes the requirement to expressly inform a data subject on or before collecting their personal data of the purposes for which it will be used and the classes of persons to whom it may be transferred. This is because transfer is a form of use and must be in accordance with the PDPO’s DPPs.

In the case of a data transfer, it is vital that the transferring entity conduct a thorough assessment of the foreign jurisdiction’s laws and practices to ensure that its proposed data processing will not violate the PDPO. The assessment should include identifying and adopting any supplementary measures required to bring the processing up to Hong Kong standards. This might involve technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions such as audit, beach notification and compliance support and co-operation.

Finally, the transferring entity must review its PICS and determine whether it has fulfilled the obligation to notify of the proposed transfer. It must also determine whether the transfer constitutes a change of purpose for which the prescribed consent of the data subject is required. In short, the transfered personal data must not be used for any other purpose than that contemplated by the original PICS.