Data hk is Hong Kong’s new name for PDPO (Data Protection Ordinance). This change aligns with international trends towards more harmonized data privacy regulations and should help businesses comply with their data transfer obligations more easily, yet there’s not much in terms of clarity regarding this topic in practice. Padraig Walsh of Tanner De Witt’s Hong Kong Privacy practice group highlights some key points which need to be kept in mind when exchanging personal data between entities residing either within Hong Kong or elsewhere.
First and foremost, it is crucial that one establishes whether a person controls the collection, holding or processing of personal data in or from Hong Kong. If not, then neither the Personal Data Protection Ordinance nor its DPPs apply, nor will issues related to data transfer and the role of the Data Protection Supervisory Authority arise.
Once an individual is determined to be a “data user”, he or she will incur several legal obligations, such as fulfilling the six DPPs that form core data obligations under Hong Kong privacy law. For transfers, DPP6 stipulates obtaining express and voluntary consent before transmitting personal data outside his PICS, or for use contrary to what was stipulated there.
These obligations are founded upon a view that personal data refers to information pertaining to an identifiable natural person and are in line with international norms; similar definitions are found elsewhere such as in mainland China’s Personal Information Protection Law or Europe’s General Data Protection Regulation.
As well as meeting these statutory requirements, additional considerations from the PDPO may also need to be taken into account when planning and/or implementing data transfers. These could include: