The Data Protection Law in the Data Hong Kong

The data hk is a major international financial and logistics hub, and home to regional offices and headquarters of many global corporations. As such, it generates demand for secure data centre facilities and services. Hong Kong also has a well-established legal framework for data protection, including the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO establishes data subject rights and specific obligations to data controllers through six data protection principles, and provides a robust regulatory environment for regulating cross-border data transfers.

Section 33 of the PDPO prohibits the transfer of personal data outside Hong Kong unless certain conditions are fulfilled. It was first enacted in 1996, which puts it at the forefront of modern privacy laws, and is broadly consistent with the definition of “personal data” under other data protection regimes such as China’s Personal Information Protection Law and Europe’s General Data Protection Regulation.

However, it is important to note that the statutory restriction in Section 33 is only applicable where a person controls the collection, holding, processing or use of personal data in, or from, Hong Kong. This is a far narrower pool than the definition of “personal data” in other jurisdictions, and as such, it looks increasingly unlikely that the statutory restriction will ever come into operation in Hong Kong.

Nevertheless, it is still true that there are substantial and onerous obligations to be met when transferring personal data abroad from Hong Kong. It is also a requirement under the PDPO that the consent of the data subjects be obtained. Often, this is achieved by having the data users provide their personal information collection statement (“PICS”) to the data subjects, which must include the purpose for collecting the personal data and the classes of persons to whom the personal data may be transferred.

It is common for a data user to conduct a transfer impact assessment before transferring personal data abroad. This involves evaluating the level of protection provided in the destination country against the requirements of the PDPO and its DPPs. It is also a good practice to have a contract with the data exporter that includes the model clauses recommended by the PCPD and its extensive guidance on their implementation.

The PCPD’s recommendations on contractual clauses provide flexibility to allow medium-sized enterprises to fulfil their obligations with a lower burden than under GDPR, while providing robust substantive protection. Moreover, the PCPD’s guidance is designed to be used with the appropriate drafting context of the relevant transfer agreement.

The PDPO is a robust regime that regulates the transfer of personal data, and provides robust remedies to address breaches. While it does not contain a statutory restriction on the transfer of personal data overseas, businesses must be aware of the obligations that exist and ensure that they are meeting best practice and ethical standards in their governance of personal data. Otherwise, they could face fines or even prosecution. It is therefore crucial to review your data processes and consider how you manage personal data when establishing business operations in the region.