Data Protection and Governance in Hong Kong
Hong Kong government officials are setting up a new office dedicated to crafting digital policies. Their purpose is to use technology and data to increase productivity within the economy while at the same time adhering to global best practices for data governance and protection.
Following recent outrage surrounding Octopus Rewards’ data sale, which led the Privacy Commissioner to initiate an investigation, this new measure follows suit. Ultimately, their investigation revealed that although collecting personal data for Octopus Rewards was legal but its collection of sensitive personal information like HK ID card number, passport number, date and year of birth as well as home address was excessive; their final report was then issued in October.
Although this move is an improvement, it will not solve all Hong Kong’s data concerns. There remain numerous issues related to personal data use which will need to be addressed through policy amendments; major ones being its adverse impact on business operations, difficulty with complying and costs involved with doing so.
These concerns are valid; however, it should be remembered that most personal data collected is for legitimate uses and isn’t being misused unlawfully or to cause physical harm to an individual. Furthermore, most transfers between companies take place between entities within that company.
As such, the legal obligation of entering into written contracts in respect of all cross-border data transfers is an integral component of our data protection regime and must remain so. Such contracts may take the form of separate agreements, schedules to a main commercial agreement or contractual provisions within said agreement; ultimately what matters most is their substance and content.
Equally, maintaining the territorial scope of the PDPO when it comes to data transfer outside Hong Kong has its merits. While other data privacy regimes now incorporate an extraterritorial element into their applications, it remains apparent that its jurisdiction extends to any person responsible for collecting, holding, processing or using personal data within or from Hong Kong.
Equally essential to any data protection regime is maintaining the principle that data users are accountable for the actions of their agents, including data processors.
Finally, the PDPO must continue allowing data users to conduct standard contractual clause assessments when importing personal data of European Economic Area persons from Hong Kong data exporters – this step being far less onerous than GDPR-style transfer impact assessments.