Data Protection Laws in Hong Kong

Data Protection Laws in Hong Kong

vegfestcolorado

A HK domain gives you a strategic digital infrastructure foothold in Asia’s top business hub. As a result, you’re close to Hong Kong’s unique customer base and mainland China’s thriving market. And, you’ll be protected by the strongest laws in the region.

Modernisation of data protection laws in Hong Kong is mooted, but until it happens, businesses must make sure they understand the existing framework. This article explains some of the key points to consider for data transfers – whether from Hong Kong to elsewhere or from other locations into Hong Kong.

First, it is necessary to determine whether the PDPO applies to the transfer. This involves looking at the definition of personal data under the PDPO. Unlike other legal regimes, such as the PIPL that applies in mainland China or the GDPR that applies in the European Union, the Hong Kong definition includes information that is not just about an identified person. This makes it a broader pool of information that may require the mandatory disclosures that arise in respect of a data transfer.

Next, the PDPO contains some relatively onerous requirements for a data user to fulfil when transferring personal data abroad. These requirements are based on the principle of transparency, which requires that a data exporter should expressly inform the data subject of the intended purposes of the transfer of their personal data before it is collected. Furthermore, a data exporter must not allow a data importer to use or hold the transferred personal data in any place outside Hong Kong other than those places that have been expressly agreed with the transferring data user. These provisions are often included in recommended model clauses published by the PCPD, and they can be included either as separate agreements or as contractual arrangements within the overall commercial agreement with the data importer.

A further requirement is that a data exporter must verify that the proposed transfer of personal data does not conflict with any of the six core data protection principles under the PDPO. This step is arguably less onerous than the comparable requirement under the GDPR, but it is still an important and onerous obligation for a data exporter to fulfill.

Finally, a data exporter must ensure that the transferring of personal data does not violate any other law in the country of destination. This is another highly technical and complex issue that will require careful consideration.

If the above six steps are not followed, then a data exporter will be in breach of the PDPO and could face substantial penalties. Moreover, the failure to comply with the PDPO could damage a business’s reputation and lead to loss of customers. It is therefore essential to understand the full scope of data transfer requirements under the PDPO when preparing commercial agreements and data protection policies. The experienced team at Tanner De Witt can assist in this regard. We can advise you on how to best structure your commercial arrangements, and draft contractual provisions in respect of data transfers to mitigate risk.