Hong Kong Special Administrative Region (“SAR”) enjoys a high level of data protection through the Personal Data (Privacy) Ordinance (“PDPO”), which provides personal data protection rights to individuals as well as specific obligations on data users. Furthermore, this law prohibits “doxxing”, the unintended release of personal information without consent (known as “doxxing”). PDPO was first implemented in 1996 and significantly amended both 2012 and 2021.
The Personal Data Protection Ordinance (PDPO) defines personal data as any information that can be used to directly or indirectly identify an individual, such as their name; identification number; location data; factors specific to physical, physiological, genetic, mental economic cultural or social identities of an individual and more. Furthermore, companies must only collect personal data for lawful purposes that do not exceed what was necessary – any excessive collection can result in criminal sanctions of up to HK$500,000 per violation and three year imprisonment of users who engage in direct marketing without prior consent being punished with fines up to this amount as well.
Hong Kong serves as an international gateway into China and Southeast Asia, making it an essential digital infrastructure base for companies seeking growth in these regions. At Equinix campus there is the leading regional internet exchange, as well as one of Asia’s most carrier-dense network hubs offering customers direct connections with international cloud providers as well as local networks in their digital supply chains.
Padraig Walsh from Tanner De Witt’s Data Privacy Practice Group takes us through some of the key regulations on personal data transfers between entities both within Hong Kong and beyond the SAR, such as GDPR revision. He explores whether revision of personal data definition may improve compliance measures for businesses using data-related technologies.