If you’re a business owner, you may be familiar with the statutory data protection regime in Hong Kong. The Personal Data (Protection) Ordinance (“PDPO”) establishes data subject rights and specific obligations to data controllers, through six core data protection principles. It has been amended a number of times since its inception in 1996, most recently in 2012 and 2021.
The PDPO defines personal data as information relating to an identified or identifiable person. It is also the definition used in other data privacy regimes, including mainland China’s Personal Information Protection Law and the European Union’s General Data Protection Regulation. The definition is a good starting point for discussions about what is personal data in the context of a Hong Kong business.
Whether or not something is personal data will depend on the intention of the person who acquires the information and on the purpose for which it is collected. Consequently, the definition of personal data has a significant impact on decisions about how to use personal information and to transfer it to third parties.
The PDPO requires data users to expressly inform the data subject on or before collecting his personal data of the purposes for which the information will be used, and the classes of persons to whom it may be transferred. This requirement is a key element of the core data obligations under the PDPO, and it is particularly important in relation to data transfers. Transfers of personal data are a form of use, and so the original data user must obtain the voluntary and express consent of the data subject before transferring his personal information to a class of persons not specified in the PICS or using it for a purpose other than that stated in the PICS.
A common challenge faced by businesses is the need to balance legitimate uses of personal information with the sensitivity and protection needs of the individual. This issue is heightened when a business needs to disclose personal data to a third party. To address this challenge, the PDPO provides for data sharing guidelines to be developed by the Personal Data Protection Commission. The guidelines are expected to be published later this year.
Finally, it is worth noting that there are a growing number of circumstances in which a Hong Kong data importer will need to carry out a transfer impact assessment in relation to personal data that has been exported from the EEA to Hong Kong. These assessments will typically involve reviewing the original data exporter’s Personal Information Collection Statement (PICS) to check that it has adequately disclosed the possibility of transfer to a destination jurisdiction and that any proposed transfer will be for a lawful purpose. In some cases, the transfer impact assessment will also consider whether or not a standard contractual clause approved by the EU can be agreed upon by the data exporter and the data importer. The assessment will also look at the practices and laws of the destination jurisdiction.