Data hk is an online resource to help businesses comply with Hong Kong’s data protection laws. It offers guidance on the application of the Personal Data (Privacy) Ordinance (“PDPO”) to cross-border transfers, including recommended model clauses that can be included in contractual arrangements for data transfer. It also provides information on the PDPO’s mandatory data breach notification requirements and a detailed discussion of how this compares to similar provisions in other jurisdictions. Finally, it explains the role of a Privacy Commissioner and highlights other legal remedies available to individuals in respect of breaches of their rights under the PDPO.
One of the major differences between the PDPO and most other data privacy regimes is that it does not include any element of extra-territorial application. This means that the PDPO only applies to a person who has operations controlled in, or from, Hong Kong. The PDPO applies to those who have control over the collection, holding, processing or use of personal data. This is a narrower definition than many other data privacy regimes, which tend to include the concepts of “personal data” and “processing”.
The PDPO’s definition of personal data includes information that identifies a natural person. However, this definition has not been updated since the PDPO was first enacted in 1996. It may need to be brought in line with modern norms, such as the definition of personal data in the European Union’s General Data Protection Regulation (“GDPR”).
It is important for businesses transferring data abroad to understand that under Hong Kong law, they are required to expressly inform a data subject on or before the collection of personal data of the purposes for which the information will be used and the classes of persons to whom it will be transferred. In addition, a data user cannot change the purpose for which personal data has been collected unless it obtains the voluntary and express consent of the original data subject.
A key principle of the PDPO is that personal data should be collected for a specific and lawful purpose. There are some exemptions to this rule, for example in the case of research, academic or scientific work. However, even in those cases, there is a requirement that the collection should be proportionate to the purpose for which it is being used and that no other personal information should be collected.
Section 33 of the PDPO prohibits the transfer of personal data outside Hong Kong unless certain conditions are fulfilled. The conditions relate to the protection of personal data and include a requirement that the personal data be transferred with the assistance of a data importer who is subject to supervision in the territory of the original data exporter or who has agreed to implement standard contractual clauses proposed by the EEA data exporter.
A further condition is that the importing data user takes steps to identify and adopt supplementary measures to bring the level of protection in the foreign jurisdiction up to the standards required under the PDPO. These might include technical measures, such as encryption or pseudonymisation; or contractual measures, such as breach notification and compliance support and co-operation.