Data hk is the Hong Kong Special Administrative Region’s information technology and data protection authority. Its role is to promote data integrity and security, and to protect personal information and public interests. Its work includes regulating the cross-border transfer of personal data and promoting good practices. It also works closely with the government to develop policies, guidelines and best practices in the area of data management and privacy.
Data HK was established in 2016 to provide an independent, impartial and robust regulatory regime for the cross-border flow of personal data. The Authority focuses on protecting the interests of individuals and businesses, while maintaining a competitive business environment. Its aim is to be the trusted and preferred regulator of data protection in Hong Kong.
Increased cross-border data flows are the lifeblood of Hong Kong’s economy. Facilitating this free flow of personal data is an irreplaceable attribute of Hong Kong’s success. But resistance to implementation of section 33 grew, as concerns were raised over its potential adverse impact on business operations and the difficulties and costs of complying with the requirement. This led to a shift in the thinking of both the PCPD and the Hong Kong government, from a clear policy objective to the need for business to take a more measured approach to implementing the requirement.
A key issue in deciding whether to export personal data outside Hong Kong is the lawful basis for doing so. The PCPD’s guidance on the issue is helpful and clear: A data user must expressly inform a data subject on or before collecting his personal data of the purposes for which the data will be used, including any transfers. A further principle is that a data user must obtain the voluntary and express consent of the data subject before transferring his personal data to a class of transferees not set out in the PICS or for a purpose not stated in the PICS. This is markedly less onerous in Hong Kong than the requirement to obtain the prescribed consent under GDPR.
Moreover, a PICS must include an assessment of the impact of the transfer on the data subjects. This is a useful step but the assessment will be of limited value if the data transfer is made to a jurisdiction where the laws are not comparable to those of Hong Kong. This is increasingly common as a result of the need for businesses to comply with the laws of different jurisdictions in order to trade and operate in the Greater Bay Area. It is a task that is likely to require significant ongoing cooperation between the different governments. The outcome will depend on how well the various governments can overcome differences in their respective regulatory frameworks. It is likely to take time, and even then it will not be a smooth ride. In the meantime, businesses should continue to take advantage of the unique strengths that Hong Kong has to offer and make use of the opportunities created by the Greater Bay Area.