In a data-driven world, personal data has become one of the most valuable assets for businesses. It is important to protect this asset, and for businesses to comply with laws that govern the use of personal data.
The Hong Kong Personal Data Protection Ordinance (PDPO) provides various safeguards for the use of personal data. These include a general prohibition on the collection, holding or processing of personal data without lawful grounds and a requirement to obtain the consent of the person whose data is being collected. The PDPO also contains provisions relating to cross-border data transfers, as well as an enforceable code of practice for data users.
However, despite these safeguards, it is still possible for businesses to lose sight of their obligations and risks when they transfer data across borders. It is therefore crucial to remain aware of current legal trends, particularly those that may impact data transfer between Hong Kong and mainland China under the “one country, two systems” principle.
A recent discussion paper published by the Hong Kong government explored potential changes to the PDPO, including a possible revising of the definition of “personal data”. This change is designed to capture more situations where personal information is processed, such as identifying an individual using various identifiers. These identifiers can include an individual’s name; identification number or other data that can identify them, whether in written or electronic form; online identifiers such as internet protocol address; location data; and factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
This change is designed to align the PDPO with the definition of personal data used in other legislative regimes, such as the PIPL that applies in mainland China and the GDPR that applies in the European Union. However, it is unlikely that the change will be adopted in the short term.
Cross-border data transfer
The PDPO contains a provision, section 33, that prohibits the transfer of personal data outside Hong Kong unless certain conditions are met. This provision is a significant departure from the “adequacy” or “equivalence” approach taken in many other jurisdictions around the world, and it looks increasingly likely that it will not be implemented in the short term.
As a result, data exporters in Hong Kong need to be mindful of the limitations of section 33 and ensure that they have an adequate legal basis to transfer their personal data. They must also be aware of their obligations in respect of contractual arrangements with data importers, including undertaking transfer impact assessments and ensuring that the terms of such agreements reflect the requirements of the PDPO.
A further consideration is that a company that is a data exporter in Hong Kong will be subject to the GDPR, if it controls any processing activities of persons within the European Union and offers goods or services in the European Union, or monitors the behaviour of data subjects in the European Union. This will apply even if the data is only transferred to Hong Kong. This will require a thorough review of the organisation’s processes, and compliance measures.