Data hk is the collection of personal information about living persons from which it is practicable for those people to be directly or indirectly identified. It includes any information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person, as well as any information identifying that person’s place of birth or citizenship. This is a key definition and one that is important for companies when considering the transfer of personal data between jurisdictions.
In Hong Kong, the processing of personal data is regulated through six data protection principles under the Personal Data Protection Ordinance (“PDPO”). The PDPO applies to organisations that control the collection, holding, processing or use of personal data, regardless of where they are located. In addition, the PDPO has provisions that regulate cross-border data flow (DPP 33).
For a business to transfer personal data out of Hong Kong, it needs to have a legal basis for doing so. This is generally achieved through a data impact assessment, which should consider the benefits and risks of the transfer, as well as the lawfulness of its purpose. The assessment should also consider the foreign jurisdiction’s laws and practices, including any security concerns, and the repercussions of transferring data to the recipient jurisdiction.
A further consideration is whether the business needs to comply with a foreign data privacy law, such as GDPR. This can have significant consequences, and may lead to the need for a data protection agreement with the receiving country.
Currently, there is no specific statutory restriction on the transfer of personal data from Hong Kong to another country under section 33 of the PDPO. However, the PCPD has been advocating that this be amended to address increased cross-border data flow. This is likely to be prompted by the need for an efficient and reliable way of transferring data with mainland China, which operates as a separate legal jurisdiction under the “one country, two systems” principle.
When it comes to a statutory restriction, the most obvious issue is that section 33 requires a data user to expressly inform a data subject on or before collecting his personal data of the purposes for which the personal data is collected and of the classes of persons to whom the personal data may be transferred. This requirement is a form of data use and, as such, it can only be fulfilled if the data subject consents to the transfer.
It is possible for a data user to fulfil this obligation by agreeing to standard contractual clauses proposed by the data exporter and specified in the PDPO. However, this can be an expensive and time-consuming process for a data exporter, and is not always effective at addressing all issues that could arise. For instance, the PDPO does not include explicit provisions on beach notification and compliance support and co-operation.