Regulation of Data Processing in Data Hk

In Hong Kong, data hk is regulated by the Personal Data Protection Ordinance (PDPO), which sets out rights for individuals and specific obligations of data users, including compliance with six data protection principles. The PDPO came into force on 20 December 1996 and was amended in 2012 and 2021. It is a law that applies to any person who controls the collection, holding, processing or use of personal data, regardless of whether the data is processed in Hong Kong or not.

Before collecting personal data, a data user must expressly inform the data subject of the purposes for which the information will be used and the classes of persons to whom the data may be transferred. These obligations are fulfilled by providing the data subject with a personal information collection statement (PICS) at or before the time of collection. The PICS must also state that the data will not be used for any purpose other than those specified.

The PDPO requires a data user to fulfil a wide range of other obligations, and to comply with six data protection principles (DPPs). A key requirement is that personal data should not be disclosed without the consent of the individual concerned unless it is in the public interest or permitted under the PDPO. This includes sharing personal data with government agencies, other data users and business associates. It also includes re-using and repurposing personal data, which can often require obtaining further consent.

If a data user wishes to transfer personal data out of Hong Kong, it must first consider whether the DPPs permit such a transfer. A further consideration is whether the data is actually personal data, and if so, what is the purpose for the transfer? The DPPs are not clear on this, and a number of arguments have been put forward to suggest that the PDPO should be changed to clarify that personal data means information relating to an identifiable individual.

If the DPPs are not satisfied, the data exporter should prepare a PICS in respect of the proposed transfer and take steps to identify and adopt supplementary measures to bring the level of protection provided by the foreign jurisdiction up to that required by the PDPO. These might include technical measures such as encryption, pseudonymisation or split processing, and contractual provisions that impose obligations on audit, inspection and reporting, beach notification and compliance support and co-operation. These provisions should be included in the contractual arrangements with the data importer. The data exporter must also keep proper records of all transfers and of all efforts to fulfil the requirements for cross-border data transfers.