Data Protection Laws in Data Hk
Data refers to any personal information that can be linked back to an identifiable individual, and many countries have strict regulations on how businesses gather, store and use this data about individuals. Some have national data protection laws while others adhere to international agreements that establish standards for collecting, holding, processing and using personal information. Companies must take care when sending personal data overseas for processing as failing to do so could incur penalties or compensation claims in local jurisdictions.
Hong Kong’s Personal Data (Protection) Ordinance (“PDPO”) defines personal data as any information which could be used to identify an individual. It enumerates six Data Protection Principles, and applies both within Hong Kong and outside its boundaries for transfers of personal data. A data user must inform an individual before collecting their personal information of both its intended uses as well as those to whom the transfer may occur, since transfer is considered one form of use under PDPO.
The Personal Data and Protection Order (PDPO) authorizes the use of personal information for safeguarding national security or public interest, defense of international relations, prevention of illegal and serious improper conduct and news reporting purposes. Furthermore, legal proceedings or life-threatening emergencies may allow personal data use. Furthermore, this act permits collecting personal data to facilitate business contact and marketing.
Prior to exporting personal information outside their jurisdiction, data exporters must conduct a transfer impact analysis and, should any adverse results emerge from it, either suspend the transfer or take necessary supplementary measures. Supplementary measures could include technical measures such as encryption, pseudonymisation or split processing as well as contractual provisions imposing audit, inspection and reporting obligations as well as beach notification, compliance support services and co-operation obligations. Under certain conditions, data exporters may be exempt from taking additional measures if they can demonstrate that there is no reason to suspect that foreign jurisdiction’s legislation or practice will significantly fail to meet PDPO standards.
Implementation of supplementary measures becomes even more essential if an exporter conducts a transfer impact assessment and finds that personal data collected in another jurisdiction cannot meet PDPO standards. Such supplementary measures could take any form, from technical solutions to contractual arrangements, covering every aspect of data transferred.
Given the rapid transformation of mainland China’s data protection laws, it seems possible that Hong Kong may adopt an equivalent status standard as a means of guaranteeing efficient and secure cross-border transfer of personal data. However, this will depend on factors unique to Hong Kong – specifically increased connectivity between Hong Kong and mainland China under “one country, two systems”. This may prompt change.