Data hk is an online resource dedicated to informing business communities of recent changes to data privacy laws and providing guidance on how businesses can comply with them while outlining any risks involved with failing to do so.
The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) includes several provisions designed to safeguard personal data, one being Section 33 which prohibits its transfer out of Hong Kong under certain conditions. Unfortunately, however, in practice this has not been enforced as a legal restriction on movement; instead communications from both PCPD and government indicate an absence of commitment towards implementation of Section 33 as an objective policy measure and/or degree of indifference towards it being ever put into action at all.
Key to the PDPO’s application is its broad interpretation; any individual who oversees the collection, holding, processing or use of personal data falls under its jurisdiction. While any person operating operations in Hong Kong which directly control these processes falls within this scope of law, an increasing number of companies operate there but do not own all or any aspects of their operations within its borders; meaning many may fall outside its purview.
Another key element of the PDPO is that data users must provide notice to any individual before collecting his personal data of its intended purposes and any transfers of his information to third parties – also known as “transparency.” This requirement is broad enough that it covers every stage of data lifecycle management; when moving his data out of Hong Kong a data user must conduct a transfer impact analysis before taking appropriate measures to bring protection standards of third countries up to those found here.
Finally, the PDPO requires data users to keep records of all their activities that affect the protection of personal data. This includes details on transactions involving personal data that they conduct as well as requests made by law enforcement authorities for disclosure and responses provided. This obligation places an unnecessary administrative burden on business operations and could have serious ramifications on operational performance.
In addition to these provisions, the PDPO also contains recommended model clauses to include in contracts for the transfer of personal data between data users in Hong Kong and non-Hong Kong users or entities controlled by them – something businesses attempting to transfer their personal data out of Hong Kong often overlook given their importance.