The Data Protection Ordinance and Transfer Impact Assessments

Data hk is Hong Kong’s privacy regulatory authority. It was set up to promote compliance with Hong Kong’s data protection law, the Personal Data Protection Ordinance (“PDPO”), and provide guidance to business.

In Hong Kong, there is no statutory restriction in the PDPO on the transfer of personal data outside the territory. Nevertheless, there is growing incidence of Hong Kong businesses being required to participate in transfer impact assessments because of the laws and practices of other jurisdictions (most frequently those in the European Economic Area (“EEA”)).

If a person controls the collection, holding, processing or use of personal data within, or from, Hong Kong, then the PDPO applies to him. If he agrees to the standard contractual clauses proposed by an EEA data exporter, then he is a data importer and will likely be required to contribute to a transfer impact assessment in circumstances where his business offers goods or services to data subjects within the EEA; monitors the behaviour of data subjects within the EEA (such as tracking people on the internet); or processes personal data relating to the health of data subjects within the EEA.

The data hk website publishes guidance on the fulfilment of transfer impact assessment obligations under the PDPO. It provides recommended model contractual clauses that can be included in contracts involving transfers of personal data. It also contains guidance on the process for undertaking a transfer impact assessment and the steps to be taken in the event of an adverse result.

As data flows between the EEA and Hong Kong continue to grow, so too will the need for a comprehensive system of transfer impact assessments in order to facilitate efficient and reliable means of transferring personal data between the OECD and Hong Kong, and between Hong Kong and the EEA. Unless Hong Kong takes the lead on this issue, there is the risk that it will lose its position as an international hub for the movement of personal data.

The Hong Kong definition of “personal data” has not been updated since the PDPO was enacted in 1996, although it is in line with international norms that are now prevalent, including the provisions in mainland China’s Personal Information Protection Law and the General Data Protection Regulation that apply to the EEA. Under the PDPO, personal data is defined as any information relating to an identified or identifiable natural person. The wording is arguably too broad and, in any event, is not sufficiently clear to prevent it being used to capture information that may not relate directly to a person, such as the number of people attending a concert. As a consequence, the PDPO requires a data user to expressly inform a data subject of the purposes for which his personal data is collected and the classes of persons to whom it may be transferred at the time of collecting such data. The PDPO does not require this to be done in writing, but good practice would suggest that it is.