Data Privacy Law in Hong Kong

While the future direction of data privacy law in Hong Kong remains uncertain, businesses should understand existing obligations with respect to personal data transfers in order to reduce compliance risks and promote efficient compliance. Padraig Walsh, Partner in the Tanner De Witt data protection team, looks at some key points to note for business dealing with data transfers, whether they are being made within Hong Kong or into the jurisdiction from elsewhere.

The first point to consider is whether a particular activity involves the processing of personal data. If it does, then it triggers an obligation to fulfil a range of data privacy laws including the six Data Protection Principles (“DPP”) under the PDPO.

This includes complying with requirements relating to disclosure, the purpose for which the personal data is collected and the right to request access or correction of the personal data. The requirement to obtain the prescribed consent of a data subject for change of use of their personal data is also one of the key elements in relation to a transfer of personal data outside Hong Kong (DPP 2(f)).

Having determined that a transfer of personal data is being made, the next step is to carry out a transfer impact assessment. While this is not mandatory under Hong Kong law, it is becoming increasingly common for a data exporter to carry out an assessment when the laws of a foreign jurisdiction do not offer a comparable level of protection to that provided by the PDPO. A transfer impact assessment is designed to identify supplementary measures that can be taken to bring the levels of protection up to that required by the PDPO. This can include technical measures such as encryption, anonymisation or pseudonymisation; and contractual provisions that impose obligations on audit, inspection and reporting, beach notification and compliance support and co-operation.

In addition to a transfer impact assessment, the data exporter should review its personal information collection statement to ensure that it has clearly informed data subjects of the classes of persons to whom their personal data will be transferred and the underlying grounds. This is a key element in ensuring that the data exporter can satisfy its obligation under section 33.

As data flows continue to grow across borders and businesses operate in an increasingly global economy, regulation imposed on data transfer is likely to remain important in both Hong Kong and other jurisdictions. This article has highlighted some of the key issues to consider and identifies areas where further work may be needed in order to improve consistency in regulatory approaches. The next issue in this series will examine the use of automated decision making and artificial intelligence in data transfers. We will explore the challenges and opportunities that this raises. Further articles will be published in due course on our blog and in the form of our Data Protection Weekly newsletter. Subscribe to the newsletter here. Tanner De Witt 2019. All rights reserved.