Whether a company transfers personal data outside of Hong Kong or from another jurisdiction into Hong Kong, it is important to understand the relevant legal framework and compliance obligations. In this article, Padraig Walsh from the Tanner De Witt Data Privacy practice group guides you through the key points to consider when dealing with such data transfers.
First, it is important to understand the definition of personal data in Hong Kong. As in many jurisdictions, the definition of personal data in Hong Kong encompasses identifiers that can be used to identify or locate a person. This includes the person’s name, identification number, location data or factors specific to the physical, physiological, genetic, mental, economic or cultural identity of a natural person. Consequently, the transfer of any such information (as opposed to mere data) is likely to require a consent from the subject.
In addition, the PDPO requires a data user to expressly inform a person on or before collecting his or her personal data of the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred. This requirement is based on the concept that data use and transfer are a form of processing. Accordingly, any transfer of personal data must be carried out in accordance with the six DPPs that comprise core data obligations under Hong Kong law.
Moreover, the PDPO requires a data controller to implement security measures to protect personal data against unauthorised access, disclosure, modification, or destruction. These measures should be reviewed regularly to ensure that they are up-to-date and meet the requirements of the PDPO. For example, a data controller should implement appropriate technical and organisational measures to ensure that staff members are not misusing data or sharing it with inappropriate people. The data controller should also make sure that its contractors and agents are also complying with the PDPO.
Finally, the PDPO contains provisions for investigating and prosecuting breaches of its provisions. For example, the PDPO prohibits the direct marketing of personal data without the individual’s consent. Historically, investigations and prosecutions in relation to such practices have been one of the most significant areas of enforcement by the PCPD.
As more and more companies become involved in the processing of personal data, the PDPO will be an increasingly important legal framework to ensure that these processes are compliant with Hong Kong law. With the increasing focus on the protection of individuals’ privacy rights, it is foreseeable that the PDPO will be updated to incorporate more stringent compliance measures. As such, it is critical that businesses remain aware of their obligations under the PDPO in order to minimise their risk and maximise their competitive advantages. In the meantime, it is worth remembering that the current PDPO already provides a good level of protection for personal data.