If you are a data user (as defined in the Personal Data Protection Ordinance (“PDPO”)) then your business is subject to a wide range of statutory obligations and must comply with six data protection principles. These include an obligation to fulfil a range of data subject rights, a duty not to use personal information for direct marketing and a requirement to disclose to data subjects how their personal data will be used. The PDPO also sets out a series of statutory penalties including fines of up to HK$500,000 and imprisonment for up to three years.
One of the key issues in respect of personal data transfer is that a data user cannot transfer personal data out of Hong Kong without the express consent of the data subject. This is a key principle of the PDPO and reflects international norms.
This requirement can be a significant hurdle when transferring personal data between entities within a group of businesses or to third parties, for example in connection with a business sale or corporate merger. However, it is possible to manage this risk by using contractual measures such as data processing agreements or binding corporate rules.
The first thing to consider is whether the PDPO is even applicable. As is the case with many other data privacy regimes, a person is only subject to the PDPO if he has operations that control collection, holding, processing or use of personal data in or from Hong Kong. This definition is a little more narrow than the definition in some other jurisdictions but is broadly consistent with international norms.
A further consideration is the scope of the PDPO’s application. If the PDPO does not apply then there is no need to consider any ancillary laws such as those relating to the transfer of personal data. Finally, there must be a clear understanding of what constitutes “personal data”. In Hong Kong, this is defined as information relating to an identified or identifiable individual. In some other jurisdictions, this is a much broader category and includes a wide range of information such as genetic, financial or health data.
If the PDPO does apply then the next step is to consider the obligations and liabilities of the data user in respect of the transfer. In particular, a data user must expressly inform a data subject on or before the collection of his personal data of the purposes for which the data will be collected and the classes of persons to whom it may be transferred. In addition, a data user must ensure that his data processors implement technical and contractual measures that are capable of bringing the level of protection in the destination country up to the standards in Hong Kong.