Data Transfer Regulations in Hong Kong
If you are transferring personal data outside Hong Kong, or moving data from other locations into Hong Kong, you should be aware of the relevant regulations. Padraig Walsh, Partner in the Data Privacy practice group at Tanner De Witt, highlights some of the key points that you need to consider.
The first point is that data transfers may trigger some additional obligations under the PDPO (Data Privacy Principles). For example, DPP1 requires you to inform a person of the purpose and collection of his personal information before collecting it. This includes advising him of the classes of persons to whom his data will be transferred. The PDPO also requires you to obtain the prescribed consent of the data subject before changing how his personal information is used (DPP3).
As you can see, the scope of these additional obligations may seem broad at first glance. However, there are certain restrictions on the application of these obligations where data transfers are involved. For instance, a person is not required to comply with these obligations if he does not have any operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong. Similarly, you are not required to provide a PICS to a person before transferring his personal information if the transfer is to another data user in a jurisdiction where the PDPO does not apply.
In addition, you may be required to agree to standard contractual clauses and conduct a transfer impact assessment if you are a data exporter to the European Union and/or its member states, or if you are a data importer into the EU. This requirement is likely to be extended to cover other data exporters and importers in future.
Data transfers are common and important in the global business community. It is vital to understand how the PDPO interprets and applies to data transfers to reduce business risk and promote efficient compliance with applicable data privacy regulation. For more advice, please contact our Data Privacy team. We are ready to help you navigate this ever-changing regulatory landscape.