As a business that transfers data between Hong Kong and other locations worldwide, it is crucial that you understand how regulation regarding personal data transfer applies in Hong Kong. Padraig Walsh of Tanner De Witt’s Data Privacy practice group highlights some key points regarding international transfers of personal data from Hong Kong.
The Hong Kong Data Protection Act (PDPO) establishes data subject rights and specific obligations for data controllers through six data protection principles. Furthermore, this Act regulates collection, processing, holding and use of personal data through an enforceable set of penalties that have been amended numerous times since its initial enactment in 1996; significant updates occurred most notably in 2012 and 2021.
Section 33 of the PDPO provides for cross-border data transfers and requires users to conduct a transfer impact analysis before exporting their personal information out of territory. This legislation was established as a response to worldwide concerns over protecting personal data.
Transfer impact assessments cover a broad range of issues. They require data exporters to identify various aspects related to data transfers such as their purpose, legal basis and intended uses; whether any supplementary measures such as encryption or pseudonymisation should be implemented as well as contractual arrangements imposing audit, inspection and reporting obligations and beach notification obligations as well as compliance support and cooperation obligations should also be addressed in an evaluation of potential transfer impact.
Key to understanding personal data is its definition, as outlined by the PDPO: any information related to living individuals that allows for their identification. There are however certain exemptions which can be included when conducting assessments, such as photographs of crowds at events, CCTV recordings and records of car park entry/exit which do not identify specific individuals.
Additionally, several measures must be taken in order to safeguard personal data being transferred abroad. This includes protecting it from unauthorised access, processing, erasure, loss or disclosure (DPP 6) as well as taking all steps possible to ensure that its level of protection in foreign jurisdictions matches that found here (DPP 7). One common application of this principle would include data stored on staff cards which typically includes name, photo, HKID number etc – these provisions would cover such data as well.
If a transfer impact assessment yields negative findings, the data exporter must either cease transfer activities or implement additional measures; such measures might include agreeing standard contractual clauses proposed by an EEA data exporter and/or seeking an adequacy decision or equivalent regime from their data importer.