Data hk is information that can be linked to an individual – such as their name, telephone number or email address. It’s a fundamental part of our daily lives and is used by businesses for many purposes, such as marketing and customer service. It’s important that data is kept secure to protect against hackers and fraudsters.
Data protection legislation has become increasingly important to business, especially in light of increased regulation in Hong Kong and internationally. In this article, Padraig Walsh from the Data Privacy practice group at Tanner De Witt discusses some of the key points to consider when transferring personal data across borders.
A key issue when transferring data is compliance with the local data protection laws in the destination country. The main body responsible for enforcing data protection law in Hong Kong is the Personal Data Protection Commissioner (PCPD). In addition to its enforcement role, it has also published two sets of recommended model contractual clauses to aid in complying with the transfer requirements in PDPO section 33.
These models are designed to address transfers between entities located in Hong Kong and those located outside of it. They include the requirement for a data exporter to notify a data subject before the transfer, as well as the requirement for a data exporter to take steps to ensure that the transferred personal data is protected by laws in the destination country equivalent to those of Hong Kong.
Whether or not these models are strictly mandatory is another matter, but they certainly make it easier for a business to demonstrate compliance with the requirements of PDPO section 33. This is particularly important given the territorial scope of the law – it only applies to a person who has operations controlling the collection, holding, processing or use of personal data in or from Hong Kong.
The definition of “personal data” is also relatively narrow compared to other jurisdictions, but that has been the case since the PDPO was first enacted in 1996. Interestingly, changes are mooted to update that definition, which would bring it more in line with other legislative regimes, such as the GDPR.
One of the proposed changes is to expand the scope of what constitutes a ‘personally identifiable natural person’. This would include a number of things, such as their location data, online identifiers and factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.
This change would impact a large number of businesses. Although it’s unlikely to be introduced this year, it’s worth keeping an eye on developments so that you’re prepared for any future changes that may come into effect. In the meantime, it’s essential that businesses understand their obligations under the existing framework. By doing so, they can reduce the risk of penalties and fines when transferring data across borders. It’s also a great way to protect against any potential reputational damage.