What is Data Hk?

As more businesses rely on data-related technologies, it becomes ever more essential for them to have an in-depth knowledge of the personal information protection regime applicable to their operations and any risks that could arise when transferring personal data overseas; such as laws and practices in destinations which differ from Hong Kong.

Data hk, launched by the Office of the Privacy Commissioner for Personal Data (“PCPD”) to serve as a centralised platform for their international transfers of personal data work, will allow more comprehensive guidance than would otherwise be provided using current resources alone.

This includes guidance on conducting data transfer impact analyses and the new standard contractual clauses recommended by the PCPD. Furthermore, there will also be a list of useful resources, such as the European Data Protection Board’s six step framework published.

An effective data transfer impact assessment is an integral component of exporting personal information internationally. The process involves reviewing the reasons behind the transfer and considering how laws and practices in its destination jurisdiction might influence those reasons; additionally, additional steps must be taken by data exporters in order to mitigate any negative effects identified during analysis.

One common example where this type of review might be necessary is when a business exports personal information for direct marketing purposes to another country. When doing this, it is critical for businesses to understand whether the direct marketing laws in their destination jurisdiction permit this activity and any possible penalties that might exist if any violations take place.

The definition of personal data used by the PDPO is in line with other legislation such as China’s Personal Information Protection Law or Europe’s General Data Protection Regulation; that is, it encompasses any data held pertaining to an identifiable individual irrespective of how it may be held.

If a company can demonstrate that it lacks control over the collection, holding, or processing of personal information under the PDPO, its obligations in relation to transfer will not apply. There may also be exemptions from use limitations and access requirements; for instance when necessary for protecting national security, defence, foreign affairs, crime prevention activities, assessment/collection of taxes/duties due, news activities or life-threatening emergency situations.

As part of its PDPO liability assessment, businesses should understand their liability when hiring third-party processors to collect or process personal information on their behalf. They should be able to demonstrate that these processors abide by its terms as well as have implemented adequate security measures.