Data Transfers in Hong Kong

HK, or hk, is the abbreviation of Hong Kong, a special administrative region of China. It is the world’s leading financial center and one of Asia’s most carrier-dense network hubs. In addition, it is an important hub for global trade and foreign investment.

For this reason, data flows within and across the territory are vital to the economy and the daily lives of its residents. However, increased cross-border data flow can pose compliance challenges. It is crucial for businesses to understand data transfer regulation imposed in order to minimise business risk and promote efficient compliance with data privacy regulations. This article by Padraig Walsh from Tanner De Witt’s Data Privacy practice group explores some of the key points to consider for data transfers under Hong Kong law.

Despite a global trend towards strengthening privacy laws and imposing more stringent enforcement measures, the Hong Kong government has not moved away from its policy objective of enabling the free flow of data. Instead, it has shifted its focus to promoting the benefits of international data flows and encouraging companies to comply with its data protection standards.

The Hong Kong Personal Data Protection Policy (PDPO) is a comprehensive set of rules that establishes data subject rights and regulates the collection, processing, holding, and use of personal information through six data protection principles. Moreover, it also sets out specific obligations for data controllers and prohibits acts such as the disclosure of personal information without consent (doxxing).

One area of the PDPO that was highlighted in the consultation paper was a possible revision to the definition of ‘personal data’. Currently, it is defined as data that relates to an identifiable person who can be identified by reference to other data. The proposed change would make it necessary for the original data user to explicitly inform a data subject on or before the collection of personal data of the purposes for which the data is intended to be used and the classes of persons to whom the personal data may be transferred.

Another issue that was raised in the consultation paper was the question of extra-territorial application of the PDPO. While several data privacy regimes now include some element of extra-territorial application, the PDPO does not. This is based on the fundamental business view that a data user’s operations controlled in, or from Hong Kong, should be covered by the scope of the PDPO.

This position is unlikely to change in the short term, given that a growing number of Hong Kong businesses will need to agree to standard contractual clauses and contribute to a transfer impact assessment in circumstances where they are data importers of personal data of persons located in the European Economic Area (“EEA”) from data exporters in the EEA. But, as demand for data transfer services grows in mainland China and internationally, the need for a strong and trusted regime to enable international data flow may eventually drive reform. We will be watching this space closely.