Personal Data Protection in Hong Kong
The personal data protection regime in Hong Kong does not contain a statutory restriction on the transfer of personal data outside Hong Kong. This is a significant and important difference from the GDPR and most other global data privacy laws. The reason for this has largely to do with the perception by the business community that implementing such a restriction could have an adverse impact on the free flow of capital and commerce, and might undermine the reputation of Hong Kong as a place to do business.
The PCPD is aware of these concerns and has been working to overcome them. In 2014 it issued guidance on cross-border data transfers and recommended model contracts to be used in such arrangements.
A major point in the PCPD’s guidance is that where a personal data user intends to transfer personal data to a non-data exporting jurisdiction, it should be prepared to carry out a transfer impact assessment of that destination country’s laws and practices. This step is not required under the PDPO but, as a matter of best practice and good data ethics, it should be carried out to ensure that the personal data is being transferred for the purpose that was originally contemplated by the PICS (DPP 1).
If the assessment reveals that the laws and practices in the foreign jurisdiction do not meet the standards that the PDPO requires, then the data exporter may be able to fulfil its obligations by adopting supplementary measures. These might include technical measures such as encryption, pseudonymisation or data separation, and/or contractual provisions such as audit, inspection and reporting, beach notification and compliance support and co-operation.
This is a significant and potentially expensive obligation. However, it is not unreasonable to expect that businesses should comply with such obligations where they can.
As the value of datasets increases, it is essential to be able to enrich them with other information – for example, from official sources such as weather or economic data, or from other organizations. These additional data elements can help to understand and evaluate the quality of a dataset, and also make it more useful to share.
This is why it is important that employees, particularly those in roles that deal with the handling of data, understand where it comes from, how it is used internally, and to whom it is being transferred. This knowledge will enable them to take appropriate and effective steps to protect it in a cross-border context. A good way to achieve this is to appoint employees as ‘data stewards’ for particular sets of data. These individuals should be able to explain the quality and integrity of the data, and how it has been maintained and enriched throughout its lifecycle. This is a key way to build employee engagement with data hk and improve overall data governance.
