Data hk is the website of the Hong Kong Privacy Commissioner for Personal Data (“PCPD”). It has been designed to be a helpful resource for businesses and citizens alike. It contains the PCPD’s Recommended Model Clauses (which are intended to provide a mechanism for complying with the transfer requirements of the PDPO) and extensive guidance on how these should be fulfilled. The guidance contemplates that these should be incorporated into contracts between the data users and can take the form of separate documents, schedules to existing commercial agreements or contractual provisions within those arrangements.
The PCPD’s guidance also includes a discussion of the meaning of “personal data”. The definition is similar to that used in other legislative regimes, including the GDPR. However, the PCPD suggests that it may be appropriate to consider updating the definition in light of recent developments such as a move towards a more comprehensive notion of identity, which is captured by the term in the GDPR. Such a change would mean that more information could be classed as personal data, and that a higher level of compliance might be required for those processing such data.
Another topic discussed is the territorial reach of the PDPO. The PCPD’s current position is that the PDPO applies only to those persons who have operations controlling collection, holding, processing or use of personal data in Hong Kong. This is because the PCPD cannot serve enforcement notices on foreign entities that are not controlled in Hong Kong, and it will be difficult to enforce a breach of the PDPO in those cases. Consequently, the PDPO does not contain express provisions conferring extra-territorial application.
If a Hong Kong data exporter does decide that the PDPO’s transfer requirements do not apply to a foreign jurisdiction, it will have to carry out a transfer impact assessment for that data export. The purpose of a transfer impact assessment is to ensure that the importing jurisdiction’s laws and practices adequately reflect each of the four essential guarantees set out in the PDPO. This is a common requirement in the case of data exports from the European Economic Area (“EEA”) to Hong Kong.
A further important issue raised is the need for a data exporter to identify and adopt any supplementary measures that are necessary to bring the level of protection offered by a foreign jurisdiction up to the standards set by the PDPO. These might include technical measures such as encryption, anonymisation or pseudonymisation, or contractual measures incorporating obligations on audit, inspection and reporting, beach notification and compliance support and co-operation. This is particularly relevant in the context of mainland China, which is a different legal jurisdiction to Hong Kong under the one country, two systems principle. There is a significant volume of data flow between the two. It is likely that this will continue to increase as the economy of Mainland China becomes more integrated with the rest of the world. In this respect, the need for effective and reliable data transfer mechanisms will be even more acute.