The freedom to move data across borders has become essential for the world’s economies. However, increased cross-border data flow also brings with it some concerns about the security of personal information. Against this backdrop, the Hong Kong government has explored how to address these issues and has set out a plan for data hk.
The first thing to note is that Hong Kong’s data protection regime does not contain any statutory restriction on the transfer of personal data outside Hong Kong. It is possible, however, that the provisions of section 33 may be re-considered as part of a wider modernisation of Hong Kong’s data privacy laws.
A key consideration is the definition of “data user”. In this context, a data user is any person who controls the collection, holding, processing or use of personal data. This includes any person who processes such data on behalf of another. So, a company that buys data from a third party to offer its services to customers is likely to be a data user and will therefore be subject to the Hong Kong data protection law.
There are various obligations on data users which arise from the data protection law. These include the obligation to comply with the six Data Protection Principles (DPPs) and to carry out an impact assessment before transferring personal data abroad. In addition, the data user must inform the data subject of the purpose of the data collection and the classes of persons to whom the personal data will be transferred before the collection takes place. In practice, this is usually fulfilled by the issuance of a PICS to each data subject before the data is collected.
Another of the data protection law’s requirements is to disclose any requests for disclosure of personal data made by a government body or regulator in Hong Kong to the data user. It is likely that companies will be required to do this in the future, particularly if they operate in sectors such as finance and technology.
It is also important to remember that the PDPO allows for certain exemptions from the requirement to limit use of personal data and to provide access to it. These include for the purpose of safeguarding Hong Kong’s security, defence and international relations; prevention of unlawful or seriously improper conduct; news activities; and assessments or collection of taxes or duties.
A further exemption from the requirement to restrict uses of personal data and to require access to it is the need to do so in order to protect life or limb. This is a necessary and proportionate limitation in the interests of protecting public health, public safety and national security.
In addition, the data exporter must carry out an impact assessment before transferring any personal data abroad and adopt suitable supplementary measures to bring the level of protection in the destination jurisdiction up to the standards set by the PDPO and its DPPs. This can be accomplished by using technical measures such as encryption, anonymisation or pseudonymisation and contractual measures such as additional contractual clauses requiring a higher standard of protection.