If you are a business owner in Hong Kong, it’s important to understand how the county’s data protection laws affect your business. You can help protect your business by hiring a data protection officer (DPO). A DPO is an individual who works with businesses to develop methods of compliance with Hong Kong’s strict data regulation laws. Here at Captain Compliance, we specialize in providing outsourced DPO services for businesses across the country.
The PDPO defines personal data as “data relating directly or indirectly to an identified living person from which it is practicable for the person to be identified.” It also specifies that personal data must be collected fairly and lawfully, not be used beyond what is necessary for a particular purpose, and be accurate and up-to-date. It further stipulates that an individual’s name and HKID number must not be displayed together or made available to anyone who is not required to have such information in order to carry out activities related to the purposes for which it was collected.
Unlike many data privacy regimes, the PDPO does not include any provisions conferring extra-territorial jurisdiction. Instead, the territorial scope of the PDPO is determined by reference to whether a data user controls the collection, holding, processing or use of personal data in, or from, Hong Kong.
One of the PDPO’s most contentious provisions is section 33, which provides for a statutory restriction on the transfer of personal data outside Hong Kong. This provision has been the subject of much controversy and debate, especially since its introduction in 2014. However, it seems increasingly unlikely that it will ever come into effect.
There are a few reasons for this, but the most significant is the fact that Hong Kong already has a robust legal framework in place for the transfer of personal data. This includes the statutory obligation to notify an individual when their personal data is transferred, and a requirement that a data exporter must take all reasonable steps to ensure that its data processors in another country comply with the PDPO’s DPPs.
The PCPD has also published a set of recommended model clauses for use in contracts relating to cross-border transfers of personal data. These model clauses are designed to address two scenarios:
Firstly, there is the situation where a data exporter is contracting with a data importer in a country that does not have an adequacy arrangement with Hong Kong. In such a case, it may be necessary for the data exporter to agree to the standard contractual clauses proposed by the EEA data exporter.
Secondly, there is the situation where a data importer is contracting with a data exporter who has already agreed to the standard contractual clauses in respect of its transfers to the EEA. In this case, it may be possible for the data importer to rely on the exemption in section 33. Despite the fact that there is considerable resistance to implementing section 33, it seems likely that the demand for efficient and reliable means of transferring personal data with mainland China and internationally will eventually drive change.