What You Need to Know About Data Protection in Hong Kong

Are You Starting in Data Hk or Exploring It Further? Regardless of your data needs or industry knowledge level, this article can help. With more knowledge about what’s out there and how best to utilize its services for your own company decisions can be made more confidently and maximize ROI from their investments.

While the PDPO does not contain any legal restrictions on the transfer of personal data outside Hong Kong, it does offer safeguards in relation to cross-border transfers. A data user must obtain express and voluntary consent of those they collect personal data from before using or transferring such data for purposes outside those defined by PICS or for use beyond what was permitted.

The PDPO requires data users to take reasonable measures to protect the personal information of data subjects against unauthorised or accidental access, processing, erasure or loss, as well as against any unlawful handling (DPP 2(1)). These obligations apply even when personal data has left their possession; these measures aim to give control back to data users over how it’s managed when being sent off for processing.

There is an increasing trend where Hong Kong data users must conduct transfer impact analyses in order to comply with the laws of another jurisdiction, most often regarding exports to EEA countries – though in these instances this usually amounts to timing rather than an enforceable obligation.

Over time, the PCPD has moved away from treating implementation of Section 33 as an overarching policy goal, due to concerns from business community that focusing on this section would negatively impact operations as well as difficulties and costs associated with compliance.

It could be that Hong Kong and mainland China’s need for efficient and reliable data transfers between each other will lead to change in this area. With increasing economic integration under the “one country, two systems” principle, legal instruments will likely need to be put in place in order to facilitate data transfers between both.

In the interim, it is likely that the PCPD will provide guidance regarding the transfer of personal data abroad, such as recommended model clauses for inclusion in contracts concerning data transfer agreements. This should provide legal certainty to businesses that transfer personal data between Hong Kong and other jurisdictions. In keeping with global data protection law developments and challenges, they aim to collaborate closely with both government and business in finding solutions.