Hong Kong business community has long advocated for an overhaul of Hong Kong data privacy regulation. Such an update might include moving away from an absolute requirement of transfer consent for all personal data processing to more of a tiered approach that recognizes that certain categories are more sensitive and thus require higher levels of compliance; but other considerations must also be considered, including impact on operations and cost of compliance.
Modernisation of the data framework may also lead to stricter requirements for businesses who use data, including an expanded definition of personal data that encompasses an individual’s online identification information. Such an expansion would increase compliance requirements for those collecting and processing personal data on individuals as well as lead to further enforcement action from PCPD.
Another significant change is the introduction of mandatory data breach notification, an obligation that places more emphasis on data transparency within organisations. Such notifications emphasize ethical data handling practices while reinforcing accountability within companies. Notifying violations of PDPO as well as individuals affected will foster an environment of openness while prompting more robust responses when data privacy incidents arise.
Regulating data flows within an ever-evolving global economy and increased ease of cross-border data transfer presents jurisdictions with an immense challenge. Hong Kong’s Personal Data Protection Ordinance’s Section 33 serves as an important mechanism for controlling such flows by prohibiting transfer to any location where its level of protection does not match that provided under PDPO.
Section 33 requires data users to provide individuals with advance notice of any planned personal data transfers to another jurisdiction (DPP 1(a) and DPP 3). Such notice typically involves providing details about who will receive such data transfer and why. Data users should fulfill these obligations by including data transfer provisions into either a separate agreement, or contractual arrangements with third parties.
Owing to resistance from business community members, implementation of section 33 has not happened as soon as intended. Instead, many jurisdictions have decided to wait and see how other jurisdictions address issues of adequacy or equivalent regimes before moving ahead with implementation of section 33 requirements. Companies should remain mindful of its requirements and take necessary steps in order to comply. In the meantime, Padraig Walsh of Tanner De Witt Hong Kong Data Privacy practice group can be reached on +852 2803 4000 or at dpw@tannerdewitt.com.hk for assistance.