Data HK is the practice of collecting and analyzing information using both primary and secondary sources; it can be applied in many industries for business analysis, policy formulation or identification of issues. Government agencies as well as the private sector recognize its use; for instance, the Department of Statistics Hong Kong maintains several datasets to support various economic sectors.
Data protection has become an increasing priority for businesses of all types and sizes, particularly cross-border transfers of personal data across jurisdictions. Though the PCPD recently indicated a greater emphasis on section 33 of the PDPO implementation, business interests have shown resistance due to perceived detrimental impacts and difficulties complying with requirements.
Hong Kong businesses should remain mindful of compliance with cross-border transfer requirements under Section 33 when sending data across borders, even though such requirements have less priority now than they did previously. Businesses must not forget their obligation to abide by its provisions when transmitting their data across borders.
First step to complying with PDPO: determine if transfer of personal data falls within its purview by considering if data user operates operations which involve collecting, holding, processing or using personal data in or from Hong Kong.
If the answer is “yes”, the next step must be deciding whether a personal information collection statement (PICS) must be issued by the data user prior to collecting personal data. A PICS must state its purpose of collection, whether or not personal data will be transferred overseas and who it may be disclosed. Providing PICSs is one of the core obligations under the PDPO for data users.
Data users should ensure their intended transfer is based on one of the specified grounds for transfer, such as protecting national security, defence or foreign affairs; crime detection/prevention; tax assessment or collection activities or journalistic activities. Likewise, they should consider whether any exemptions to use limitation requirements apply in this instance.
If the data exporter agrees to standard contractual clauses proposed by an EEA data importer under GDPR, they should conduct a transfer impact assessment prior to agreeing. Such an evaluation will take into account both legal environments, laws and practices affecting destination jurisdictions as well as potential national security implications of agreeing such clauses.
Overall, transfer impact evaluation is an integral step for companies pondering cross-border transfers. The results can help companies determine if their proposed transaction serves public interests or not and, if not, what additional steps must be implemented.