Personal Data Protection in Hong Kong

HK is an abbreviation of the common name for Hong Kong, a special administrative region of China. It is a well-known international business center, and the government is promoting the city as an information technology hub. The government has strict regulations on data exports from Hong Kong, including the Personal Information (Privacy) Ordinance and the Guidance on Personal Data Protection in Cross-border Data Transfer. These protect the privacy of the public. The local privacy watchdog has also made it clear that a transfer impact assessment is required before sending data abroad.

A transfer impact assessment is a tool to help data users identify and adopt supplementary measures to bring the level of personal data protection in a foreign jurisdiction up to Hong Kong standards. It is only necessary if the data exporter’s assessment reveals that the foreign jurisdiction’s laws or practices do not comply with PDPO’s requirements. The assessment can cover technical measures, such as encryption or pseudonymisation, and contractual provisions, such as beach notification and compliance support and cooperation.

The statutory requirement to obtain consent from data subjects before disclosing their personal data to a third party outside Hong Kong (DPP 2(1)). The requirement to not keep personal data for longer than is necessary for the purpose of processing it or notifying the data subject about a new use of the data that has not been notified previously (DPP 4(2)).

The requirement to provide notice and to secure or take reasonable steps to ensure that a person in a foreign jurisdiction does not disclose data obtained by them to anyone, without the consent of the data subject, unless that disclosure is required or permitted under PDPO (DPP 6(3)).

This article is adapted from an article written by Padraig Walsh of Tanner De Witt’s Data Privacy practice group. He is a leading expert in cross-border data transfers and the law of the European Union. He has published numerous articles and papers on the subject and has presented at conferences worldwide. He is a member of the Privacy Committee of the Hong Kong Federation of Industries and has advised many multinational corporations on data protection issues. He is a Fellow of the British Computer Society and a Fellow of the Australian Institute of Privacy Practitioners. Padraig is based in Hong Kong and is the Head of the Data Privacy and Security practice in Asia Pacific. He can be contacted via email or phone on +65 6323 1133. He is available to speak at events and give seminars in both English and Mandarin. To view Padraig’s full profile and biography, click here. To arrange a speaking engagement, contact the Data Privacy team at the firm.