The GDPR defines the term “identifiable personal data” to mean any information relating to an identified or identifiable natural person, such as name, identification number, location data, or factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity. The definition is intentionally broad, and covers a wide range of personal information. This is the reason why it has been difficult to determine when something might constitute personal data under the new law.

In Hong Kong, the Personal Data Protection Ordinance (PDPO) does not define the term “identifiable personal data”. The PCPD has taken a pragmatic approach to this issue by interpreting the scope of the PDPO as being that the PDPO applies to a person who controls the collection, holding, processing and use of personal data, whether in or out of Hong Kong. This is an important distinction, since several jurisdictions have extended their privacy laws to cover data transfers to entities outside their territorial boundaries.

This approach is not without its drawbacks, however, as it places an unwarranted burden on businesses wishing to transfer data from Hong Kong to non-EEA locations. It is necessary to carefully review the PDPO, the PICS and any other relevant documents in order to understand which information is required to be transferred, and what steps are needed to comply with the requirements of the PDPO.

One important requirement is that the transferring party must expressly notify the data subject on or before collecting the personal data of the purposes for which it will be used and the classes of persons to whom the data may be transferred. This is a significant step, although it is less onerous than the equivalent requirement under GDPR.

The transferring party must also identify and adopt any supplementary measures necessary to bring the level of protection in the foreign jurisdiction up to that of the PDPO. This may include technical measures, such as encryption, pseudonymisation and split or multi-party processing, or contractual provisions, including obligations for audit, inspection and reporting, beach notification and compliance support and cooperation.

Tech Data Distribution (Hong Kong) Limited (“Tech Data HK”) is the leading global distributor and solutions aggregator in the IT ecosystem, helping more than 150,000 customers around the world to maximize their technology investments, demonstrate business outcomes and unlock growth opportunities. As an innovative partner, Tech Data HK brings together compelling IT products, services and solutions from more than 1,500 best-in-class technology vendors. Headquartered in Clearwater, Florida and Fremont, California, Tech Data HK employs over 23,500 people worldwide. Learn more at www.techdata.com.hk.