Protecting Personal Data in Hong Kong

Data has become a critical element of the digital economy. A car manufacturer can’t produce autonomous cars without the proper software; and a search engine cannot provide useful results without the appropriate data. This new role for data has implications for business models and competitive strategies. It also makes strong privacy practices more important than ever.

The first thing to consider is whether the data in question meets the definition of personal information under the PDPO. This includes information that relates to an identifiable natural person, such as name; identification number; location data; online identifier; or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual. The definition of personal information has not been updated since the PDPO was enacted in 1996, but it is consistent with other legislation that defines this term, including the Personal Data Protection Law that applies in mainland China and the General Data Protection Regulation that applies to the European Union.

Next, consider whether the PDPO applies to the processing of the data in question. The definition of “processing” in the PDPO covers not only collecting and using personal information, but also transferring it to a third party. A person transferring data to another jurisdiction must have the ability to comply with the six DPPs that form core data obligations in Hong Kong. This means that the person must expressly inform a data subject of the purposes for which the data will be used on or before collection, and the classes of persons to whom the data may be transferred.

If the PDPO does not apply, then there is no obligation to notify the PICs or obtain their consent and the issues related to the transfer of data do not arise. However, it is still worth remembering that the obligation to obtain PICs and comply with other PDPO obligations applies to data users who outsource part of their processing activities. This could include a company that outsources its customer support to an overseas subsidiary, or a service provider who processes data on behalf of a Hong Kong company.

The NDRC has urged the government to make it clear that this memorandum will not affect the free flow of data between the mainland and Hong Kong. The two sides must balance the need for cross-border exchanges of data with the importance of protecting the security and integrity of personal information. In addition, it is necessary to ensure that the PDPO’s extraterritorial application does not undermine a key principle of the PDPO, which is to encourage the global transfer of personal data and to maintain a high level of compliance with data protection laws worldwide. This is an issue that will require further discussion in the coming months.