Betterchoicesbettercarenj.com

Personal Data Transfer Regulations in Hong Kong

Data transfers are common and necessary for business operations. However, a lot of regulation governs these transfers. It is vital for businesses to understand data privacy regulation imposed on personal data transfers to reduce risk and promote efficient compliance across the organization. This article by Padraig Walsh from Tanner De Witt’s Data Privacy practice group provides an overview of the key points to consider when dealing with personal data transfer regulations in Hong Kong.

The Privacy Commissioner for Personal Data (“PCPD”) has published two sets of recommended model contractual clauses to aid in the implementation of data transfer obligations. The first set addresses transfers between two data users within Hong Kong and the second addresses transfers between a data user in Hong Kong and a data processor outside of Hong Kong.

As a general rule, the PCPD requires a data exporter to obtain the voluntary and express consent of a data subject for any transfer of their personal data that is envisaged in their PICS. Where this is not possible, the PDPO contains a series of ‘safeguards’ that must be complied with to facilitate a transfer. Whether these safeguards are fulfilled depends on a number of factors, including the nature of the purpose for which the personal data is being transferred and whether the transfer involves a new use of that data.

In addition to complying with the PDPO, a data exporter must ensure that it is transparent with data subjects about its intention to transfer their personal data and the underlying grounds for that transfer. This requirement is a crucial safeguard to prevent unintended data flows that may infringe a person’s privacy.

Data protection law in Hong Kong has long been a pioneer in the development of modern data privacy laws and regulations. It has, therefore, established a high standard of protection for personal data that is transferred abroad. This has led to it having one of the most complex and extensive data transfer regimes in the world.

A major difference between the PDPO and other data privacy laws, such as those of mainland China and the European Union, is that the definition of personal data in Hong Kong only concerns individuals who can be identified by reference to other data. This makes for a much smaller pool of people than in other jurisdictions where, for example, the term is defined to include any information which can be used to identify an individual.

A discussion paper published by the government earlier this year explored potential changes to the PDPO that might include an extension of the definition of personal data in order to catch a broader range of uses of data. This change, if implemented, could have significant implications for businesses operating in Hong Kong. In light of this, it is a good idea for all businesses to review their current processes and ensure that they are in compliance with the existing PDPO. A failure to do so might result in substantial fines or enforcement action.