Hong Kong is a data protection leader and was at the forefront of modern privacy law when it first passed its PDPO in 1995. Section 33 of the PDPO prohibited transfer of personal data outside Hong Kong unless certain conditions were met, including a requirement that the foreign jurisdiction had legislation and practices that provide an adequate level of protection of personal data. Increased cross-border data flow was seen as the lifeblood of our economy and facilitating that free flow of information was viewed as an irreplaceable attribute of our success. However, resistance to implementing section 33 led the Government to abandon it from the agenda of legislative reforms and focus on other areas of regulatory change.
The PDPO established a broad range of rights and obligations for data users, including compliance with six core data protection principles. It also requires the prior express consent of a data subject for any change in how a person’s personal data is used (DPP 1). Transfer of personal data outside Hong Kong can only take place for the purposes that a data user has been notified to a data subject on or before the original collection of their personal data.
Data hk is the official website of Hong Kong’s Data Protection Commissioner. It provides guidance on data protection and explains how the PDPO applies to Hong Kong citizens and businesses. There are numerous useful tools, resources and videos on the site. In particular, the PCPD’s guide to cross-border data transfers is an excellent starting point for understanding how Hong Kong laws apply to international transfers of personal data.
In addition, the PCPD has released a number of model contractual clauses to help data exporters comply with their obligations under PDPO and the GDPR. The new clauses are designed to allow a business that agrees to them to satisfy their obligations under the GDPR without having to carry out a full transfer impact assessment. This is particularly useful for small to medium-sized enterprises, where a full assessment can be time consuming and resource intensive.
There are a growing number of circumstances in which Hong Kong businesses will need to agree to the new standard contractual clauses and contribute to a transfer impact assessment in relation to their dealings with EEA data exporters. These arrangements typically arise where the business is a data importer of personal data of EEA persons from data exporters in the EEA, or the business is the data controller that receives personal data of EEA persons under a contract with an EEA data exporter.
As the world of technology evolves, and as businesses become more interconnected, the need for robust data protection laws will only grow. Whether a firm is based in Hong Kong or anywhere else, it must be vigilant to the requirements of the local and international laws that govern how it manages and protects personal data. It is never too late to ensure that it is complying with its responsibilities and best practice.