As a Hong Kong business, your organization likely transfers personal data between locations. While this is an everyday part of business life, it is vital that you understand the regulations related to personal data transfers. Padraig Walsh from Tanner De Witt’s Data Privacy Team offers this useful guide with key points you should know.
Hong Kong’s personal information protection regime is governed by the Personal Data (Privacy) Ordinance (“PDPO”). This statute establishes data subject rights while also governing collection, processing, holding and use of personal data according to six data protection principles.
Key to the PDPO is its requirement that data users inform subjects about why and for what purposes they intend to collect personal data, as well as obtain their consent if required by law. Typically this obligation can be fulfilled via a Personal Information Collection Statement (PICS), while if information will be transferred abroad it must also inform transferee of underlying reasons behind its transfer.
Additionally, the PDPO mandates data users to implement security measures to protect personal data against unauthorised access, processing, erasure or loss. Under its definition of personal data in the PDPO, “personal data” refers to any information which identifies an individual directly or indirectly and could include their racial/ethnic origin, political opinions, religious beliefs, sexual orientation and genetic data.
Section 33 of the PDPO places additional responsibilities on Hong Kong data users when proposing to transfer personal data abroad. According to this provision, data exporters must conduct an assessment of any foreign jurisdiction’s laws and practices to ascertain whether they comply with those required under PDPO standards; if not, additional steps must be taken such as encryption, anonymisation or contractual provisions for auditing, inspection reporting and beach notification support and cooperation if needed.
Owing to resistance from business community to implementation of Section 33, resistance has been considerable. To address this, PCPD has moved away from advocating for strict application of requirements by advocating voluntary compliance instead; they recommend data users draft model clauses for inclusion in contracts for data transfers which will facilitate rapid introduction. Furthermore, PCPD commissioned a study on global regulatory framework on cross-border/boundary data flow as a whole before discussing with Hong Kong Government best solutions moving forward that meet Hong Kong needs.