Personal Data Protection in Hong Kong

In Hong Kong, personal data is governed by the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO establishes an individual’s rights and provides specific obligations to data controllers through six data protection principles. The PDPO is frequently amended to address new and evolving issues. Recent amendments, for example, focused on the responsibilities and liabilities of data controllers in relation to direct marketing and addressed acts of disclosing personal information without consent, known as “doxxing”.

The PCPD has been putting forward proposals to further strengthen the protection for personal data and enhance compliance measures for businesses that use personal data. In particular, the PCPD is considering requiring data users to formulate a clear data retention policy and specify a specific retention period for the personal data collected. The proposed amendment would also require the implementation of a requirement to inform data subjects clearly of the details of such retention policy and ensure that it will be executed effectively.

Another area of potential change is cross-border transfer of personal data. Several data privacy regimes include a statutory restriction on the transfer of personal data outside their jurisdiction. However, the PDPO does not contain such a restriction and it looks increasingly likely that it will never come into operation. Even so, it is a good idea for companies that intend to export personal data out of Hong Kong to undertake a transfer impact assessment and to include model clauses in contracts dealing with such transfers.

One of the key issues in assessing whether or not a transfer impact assessment is required is to consider the nature and purpose for which the personal data was originally collected. This is because the PDPO requires a data user to expressly inform a data subject on or before collection of his personal data of the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred. Transfer to a different class of people or for a different purpose is considered a change in the original purpose and therefore a new PICS will be needed.

A third issue that will need to be considered is the legal basis for transferring the data. The PDPO requires that any transfer of personal data outside of the territory be justified in law by one of a number of permissible grounds, including legitimate interest and consent. This will need to be considered in the context of the laws of the destination country, which could impose additional restrictions on data transfers in addition to those contained in the PDPO.

While the PCPD has moved away from its previous insistence on implementing section 33 as soon as possible, increasing cross-border data flow is still an important consideration and it seems likely that the provisions will be implemented sooner or later. Until then, it is a good idea for data users to keep abreast of any developments and to ensure that their data processing practices are compliant with the PDPO and other applicable local laws.