The innovation and technology sector is a key part of Hong Kong’s economy, and the volume of data flow in that sector is increasing. As such, understanding data hk is essential for businesses to reduce business risk and promote efficient compliance with regulatory requirements for cross-border data transfers. This article by Padraig Walsh from the Data Privacy practice at Tanner De Witt looks at the interpretation of key data privacy concepts in relation to personal data transfers in Hong Kong and elsewhere, including the need for a lawful basis for transfer.
Padraig Walsh is a senior associate in the Data Privacy team at Tanner De Witt.
When the PDPO was first enacted, increased cross-border data flow was seen as an important and irreplaceable attribute of Hong Kong’s economic success. This gave rise to a high level of focus on the implementation of section 33 and the related model contract. The business community, however, had strong concerns about the impact on operational efficiency and the cost of compliance. These views eventually caused the PCPD to shift its focus away from ensuring that section 33 was implemented and into a more generalized policy objective of promoting free movement of personal data in line with the principles and policies set out in the PDPO.
As a result, there is now no statutory restriction in the PDPO on the transfer of personal data outside Hong Kong. This is a significant change from the position taken in many other jurisdictions, which generally limit or prohibit such transfers. Nevertheless, it is not without its challenges, particularly in light of the fact that Mainland China is a separate legal jurisdiction under the “one country, two systems” principle and is rapidly modernizing its data privacy laws.
The first step is to determine whether or not the personal data being transferred is subject to the PDPO. The definition of personal data in the PDPO is very broad and includes all information that relates to an identified or identifiable person. It is very likely that this will cover most personal data in existence. However, it is also necessary to consider whether the data that is being transferred constitutes personal data within the meaning of other data protection regimes, such as the GDPR.
It is also important to consider whether or not a transfer impact assessment will be required. While not mandatory under Hong Kong law, there are an increasing number of circumstances in which a data user will need to carry out a transfer impact assessment because of the application of laws of other jurisdictions.
Finally, it is also important to remember that a PICS must be issued before the collection of personal data and that it will include information about the classes of persons to whom the personal data may be transferred. The obligation to disclose and obtain the prescribed consent of the data subject before transferring the personal data for any new purpose is also a requirement under the PDPO.