The digital economy is now a powerful force in our lives. It is changing how businesses operate and thrive, how cities are managed – even how we work, learn and live. Its driving force is data. But that data is not always well understood, or correctly used – and the consequences of mishandled data can be far-reaching. This article, written by Padraig Walsh of the Tanner De Witt data hk practice group, explores key points to consider regarding personal data transfers, whether they are within Hong Kong or to locations outside of the territory.
First and foremost, it is necessary to determine whether the transfer falls within the jurisdiction of the PDPO. For this, it is necessary to consider whether the person who is transferring the data is considered to be a “data user”. A data user is defined as a person who, alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data. It is important to note that the definition does not include the collection of data for the purpose of selling it or distributing it in any form.
It is also important to determine whether or not the data consists of personal information. The law of Hong Kong defines personal information to include any information that can be used to identify an individual. This includes name, date of birth, address, gender and ID card number. However, it does not include the contents of a bank account or credit card, and it excludes information about an employee’s medical status or criminal records.
Finally, it is necessary to consider whether or not the purpose for which the data is collected is legitimate and necessary. The laws of Hong Kong require that any use of personal data be justified by a public interest and that the purpose is not contrary to law. This is a complex analysis that must take into account a range of factors, including whether or not the data will be stored and processed in a way that would violate any of the six DPPs.
A final point is that it may be necessary to carry out a transfer impact assessment. This is not a requirement under the PDPO, but there are a growing number of circumstances in which it will become necessary. These include situations in which the law of another jurisdiction applies to a transfer from Hong Kong, and in which it is necessary to conduct a transfer impact assessment for that jurisdiction.
While section 33 has not yet been implemented in Hong Kong, the need for efficient and reliable methods of transferring personal data with mainland China and internationally will probably drive change in the future. In this regard, it is important for business to keep in mind that a transfer impact assessment can be a useful tool to help ensure compliance with the PDPO and other data protection regimes. If you have questions about the implications of a particular data transfer, please contact the team at Tanner De Witt.