Data Hong Kong is a key component of today’s digital economy. Businesses today cannot produce products or services without using data, and as a result data is an essential source of capital compared to past approaches where information was simply used as an enabler of delivery of services and goods. Business managers must understand how best to utilize this resource and handle related challenges effectively.
Hong Kong’s Personal Data Protection Ordinance (PDPO) establishes data subject rights while also placing various statutory obligations on data controllers, including compliance with six core privacy principles. The PDPO applies to anyone controlling the collection, holding, processing or use of personal data whether this happens inside Hong Kong or elsewhere; its definition covers data users with offices or operations outside of Hong Kong.
But it should be remembered that the PDPO does not explicitly grant extraterritorial application; its territorial scope is defined by the concept of a data user, so data transfer to Hong Kong would not trigger its jurisdictional application if processing occurs entirely outside Hong Kong.
Remember, however, that the PDPO does not apply to data transfers that do not involve personal data. “Personal Data” in the PDPO includes not just identifiable information about an individual but also details regarding their beliefs or interests such as political opinions, sexual orientation or religion.
Data users must also adhere to certain restrictions when collecting and processing personal information, which includes collecting personal data without legitimate cause related directly to their function or activity. Further, personal information should not be disclosed without first seeking the data subject’s consent unless required for compliance with legal obligations or statutory mandates.
Hong Kong places significant restrictions on both processing and cross-border data transfer to or from Hong Kong, and Padraig Walsh from Tanner De Witt’s Data Privacy practice group will explore these limitations as well as provide practical tips for managing data transfers. This article should be read by professionals involved with personal data in global markets; download it here.