Data hk is the Hong Kong government’s initiative to promote awareness of data protection and drive the development of a robust personal data economy. The goal is to ensure that the free flow of information will continue to be a key driver of Hong Kong’s prosperity while protecting personal data privacy. This is an important issue because increased cross-border data flow has been a driving force behind Hong Kong’s economic success. However, increasing cross-border data flow has also resulted in an increase in the potential for breaches of personal data. The data hk campaign is designed to help businesses understand how to protect personal data and what to do in the event of a breach.
When Hong Kong’s data privacy law, the Personal Data (Privacy) Ordinance (“PDPO”) was first enacted in 1995, section 33 was intended to regulate cross-border data transfer of personal data outside Hong Kong. The concept of personal data is defined in the PDPO to include any information relating to an identified or identifiable person. This definition is similar to other data privacy laws around the world including the Personal Information Protection Act that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area.
Section 33 contains a set of conditions that must be fulfilled in order to transfer personal data overseas. This includes a requirement to obtain the prescribed consent of data subjects for disclosure or transfer of their personal data and a requirement to adopt contractual or other means to ensure that personal data transferred to a third party, whether within or outside Hong Kong, is protected from unauthorised or accidental access, processing, erasure, loss or use (DPP 2(3) and DPP 4(2)). The term “data user” is defined in the PDPO to mean any person who is responsible for and liable for complying with the PDPO. This is a broad concept that encompasses any person who has control of personal data, such as a photographer who takes a photograph at a concert that identifies individuals or CCTV footage that records the names of persons entering car parks.
The PDPO also requires that a data exporter conduct a transfer impact assessment of any proposed transfer of personal data to Hong Kong. This is a risk-based assessment of the level of protection in Hong Kong to determine whether such a transfer is lawful and proportionate. It is interesting to note that the PCPD has not yet adopted a six step framework published by the EDPB in the EU which sets out a more prescriptive process for conducting a transfer impact assessment.
It is likely that the upcoming amendments to the PDPO will widen the existing definition of personal data by clarifying that it covers information which relates to identifiable persons. This will bring Hong Kong into line with international standards which expressly regulate the protection of information relating to “identifiable” persons. This is expected to cover information such as residential address, IP addresses and online cookies that make it reasonably possible for a person to be identified.