Assuming your business utilizes data-related technologies to learn about an individual’s behaviors or process information that could have an effect on them, under Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”) it would likely be considered as a data user and subject to various statutory obligations that include adhering to six core data protection principles forming part of Hong Kong privacy law as an obligation of the PDPO.

DPP3 requires data users to inform a data subject prior to collecting their personal information of its purposes and transfers (such as to law enforcement agencies and regulators) as part of DPP3. Specifically, data users must expressly inform individuals of these details on or prior to collection of personal data from them. Furthermore, disclosure may occur ( such as for law enforcement reasons or regulator inquiries).

As opposed to many other data privacy regimes, the PDPO does not contain statutory restrictions on the transfer of personal data outside Hong Kong. A data user who must comply with DPP3 must identify and adopt any additional measures necessary to bring protection levels up to Hong Kong standards in overseas jurisdictions; such measures might include encryption, pseudonymisation or split processing technologies as well as contractual provisions which impose obligations on audit, inspection and reporting, beach notification as well as compliance support and co-operation obligations.

As part of its proposed revisions, the PDPO may expand the definition of personal data to cover any information concerning an identified or identifiable individual, not simply data about them. Such an amendment, yet to take place, could have profound ramifications for businesses that collect and use this type of data.

This could lead to an expansion of PDPO exemptions that apply in cases when consent cannot be easily obtained, such as CCTV recordings, car park logs or meetings that don’t identify individuals directly.

As the regulatory landscape continues to shift, businesses that handle data must stay abreast of key developments. At Tanner De Witt’s data hk team we will keep you up-to-date and help manage any associated legal risks related to handling data.