Data is a critical enabler of digital innovation and the new economy. A car manufacturer can’t make a new model if it lacks the financial capital to fund the production line, and an autonomous vehicle can’t drive itself without the data that feeds onboard algorithms. This new role for data has implications across the economy and beyond, from business strategy to competition law.
The PDPO’s definition of personal data is consistent with international norms on the term and has been updated in other legislative regimes such as mainland China’s Personal Information Protection Law and the EU’s General Data Protection Regulation. Generally, personal data refers to information that can identify an individual, whether they are directly identifiable or not. It can also include information about legal entities such as companies and trusts.
It is important to understand how the PDPO’s scope/territorial jurisdiction applies when it comes to cross-border transfers of personal data. This is because the PDPO requires certain obligations to be fulfilled by data users when they transfer personal data, and failure to comply with these requirements can result in penalties or even enforcement action.
For example, data users must inform a data subject of the purpose for collecting their personal data and where it is to be transferred, as well as provide them with the class of persons to whom their data may be transferred. They must also ensure that any third party to whom they transfer personal data complies with the PDPO’s privacy principles. Moreover, they must not transfer data that is excessive or unnecessary for the purpose of their processing.
This is a significant burden for businesses, especially those operating overseas and doing business in Hong Kong. However, the HKMA is looking into ways to ease these regulatory burdens. For example, it is exploring the possibility of a data exchange between banks and other sources of commercial data, including utility companies. This would allow businesses to share data more efficiently, and reduce their compliance costs.
The HKMA also recently announced that it is working to build the Cyber Security and Data Infrastructure (CDI), a next-generation financial data infrastructure that will replace the multiple one-to-one connections between banks and their sources of commercial data. This will make data sharing more secure, efficient and scalable. The initiative is part of the HKMA’s Fintech 2025 strategy to improve Hong Kong’s data infrastructure, empower the industry and enhance the appetite for fintech solutions. The CDI is expected to be operational by 2022.