Hong Kong is one of the leading global centres for business, trade and investment. Businesses often transfer personal data between locations. To comply with applicable laws and to remain compliant, businesses need to understand what legal requirements apply when doing so. Padraig Walsh of Tanner De Witt’s Data Privacy practice group discusses important points when moving personal data from Hong Kong or to Hong Kong from other locations.
Start by understanding how the PDPO defines personal data. This term covers any piece of information identifying an individual, such as their name, identification number or address – similar to other laws like GDPR – but note that in addition to disclosure and transfer the PDPO also encompasses disclosure as part of this definition of personal data.
PDPO requires data users to take contractual or other measures in order to protect personal data transferred from them and stored outside Hong Kong unless expressly agreed with the recipient (DPP 2(3)). This requirement mirrors GDPR regulations and similar legislation.
When importing personal data from another jurisdiction, Hong Kong data importers are typically required to conduct a transfer impact assessment (DPP 8). The purpose of this assessment is to examine the level of protection for both data subjects and personal data in their new home jurisdiction.
PDPO-compliant transfers of personal data require importers to implement appropriate safeguards (DPP 10). This typically involves contractual provisions to ensure that recipients agree not to process data in ways which would breach its protections; written notice must also be given to data subjects prior to any proposed processing, and obtain their consent where needed.
The PDPO provides an incomplete list of exemptions to use limitations and access requirements, such as activities undertaken to protect public safety or national security; assessment and collection of tax or duty; prevention or detection of unlawful or serious improper conduct; news activities; due diligence exercises; life-threatening emergency situations and so forth.
The PCPD has made it clear that increased cross-border data flow is beneficial to Hong Kong’s economy and that section 33 should be implemented, although it seems increasingly unlikely this will happen. Businesses must ensure their governance of personal data complies with applicable obligations, best practices and ethical standards, thereby minimising any risk from potential enforcement action by the PCPD and protecting themselves against reputational damage associated with breaching data transfers laws.