Personal Data Protection Laws in Hong Kong
If you are planning to transfer personal data abroad, it is important to understand your obligations under Hong Kong law. While Hong Kong law does not directly prohibit the free flow of data across borders, there is a framework designed to regulate such transfers. In addition, increased cross-border data flow is often seen as an essential attribute of Hong Kong’s economic success.
The Hong Kong data protection laws are designed to protect the privacy of individuals. The laws set out a number of principles and regulations that businesses must follow to ensure that personal information is collected fairly and used only for legitimate purposes. The most important principle is that personal data should not be processed in a manner that adversely affects the rights and freedoms of individuals. A breach of the principles could result in a fine or even imprisonment.
In addition to the principles, there are a series of specific provisions in the PDPO that deal with the use of personal data. For example, a person’s name and HKID number constitutes personal data under the PDPO and must be kept secure at all times. It is also prohibited to make public a combination of these data for purposes unrelated to the purpose for which it was collected. For instance, the personal information of a staff member displayed on his or her company ID card may include the name, HKID number, address, photograph and contact details. The PDPO stipulates that this information may not be made available to persons outside the business.
The PDPO also requires that the use of personal data is authorised by law. This includes the use of personal data for purposes such as fraud prevention, prevention or detection of offences and unlawful conduct, or for establishing, exercising or defending legal rights in court. It also covers the disclosure of personal data in the event of an emergency, such as a fire or a terrorist attack.
When transferring personal data abroad, it is advisable to comply with the PDPO’s requirements for conducting a transfer impact assessment. This is a process that involves analysing the level of data protection in the destination jurisdiction and considering whether it is sufficient to protect the personal data. It is not mandatory under Hong Kong law, but there are a growing number of circumstances in which it will be necessary for a business to carry out such an assessment.
The assessment identifies any supplementary measures that need to be implemented to bring the level of protection in the foreign jurisdiction up to that provided for under Hong Kong law. These can be technical measures such as encryption or anonymisation, or contractual arrangements such as audit and inspection, beach notification and compliance support and co-operation. The supplementary measures can be included either as separate agreements or in the main commercial arrangement. In any case, they should be clearly documented. This will provide the business with a record of its efforts to fulfil its legal obligations and demonstrate to the regulatory authorities that it has taken due care in the handling of personal data.