Privacy Law and Data Transfers in Hong Kong

As the world’s leading network hub, Hong Kong has a highly concentrated concentration of enterprises, networks and IT service providers. This makes it a prime location for companies to connect and interconnect their digital supply chain and to access the data they need to grow their business. Equinix’s data centers in the city provide customers with a direct connection into one of Asia’s most carrier-dense and secure networks.

Modernisation of Hong Kong’s privacy laws is mooted, but for now businesses should make sure they understand their obligations under the existing framework, especially those around data transfers. The key requirement under the PDPO is that personal data may only be transferred to third parties outside Hong Kong for specified purposes. The definition of “personal data” has not changed since the PDPO was first enacted, and it remains consistent with international norms, as expressed in the PIPL of mainland China or the GDPR that applies in the European Union.

The PDPO sets out the six core data protection principles that form the basis of privacy law in Hong Kong. A person is a data user if he controls the collection, holding, processing or use of personal data. This means that, for example, if someone obtains personal data from another source and then uses it in a way that does not comply with the PDPO, he is still a data user.

This principle is known as “the right to control” personal data. A data user must ensure that he is able to fulfil the purpose for which he collected the data, and that he has the necessary technical and contractual measures in place. If not, he must either stop the processing or obtain the consent of the data subject to do so.

It is also a requirement that a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which it will be used, and of the classes of persons to whom the data may be transferred (DPP 1). The obligation to inform the data subject does not necessarily end at this point, however; as data transfer is a form of use, a data user must also comply with DPP 3 when transferring his personal data overseas.

In response to the Octopus scandal, the HKMA recommended that financial institutions revamp their privacy policies and suspend all transfers of data to unconnected third parties for marketing purposes, until they have obtained legal advice on this issue. This followed a recommendation by the Privacy Commissioner that all financial institutions review their transfers of data to unconnected third parties for direct marketing.

The PDPO contains no statutory restriction on cross-border data transfers from Hong Kong. Instead, the Commissioner has published a set of recommended model contractual clauses that address two scenarios – a transfer from a data user to its data processor; and a transfer between entities both of which are outside Hong Kong when the latter controls the former. These model clauses are designed to facilitate compliance with the PDPO’s DPPs by ensuring that the data exported from Hong Kong will be protected to a standard equivalent to those laid down in the PDPO.