Data Protection Law in Data Hk

Data privacy in Hong Kong can be an intricate topic to navigate, particularly when dealing with cross-border transfers of personal data. Here, Padraig Walsh of Tanner De Witt’s Data Privacy practice group presents key points when handling personal data transfers under Hong Kong law.

Hong Kong’s data protection regime is guided by the Personal Data Protection Ordinance (PDPO), which establishes data subject rights, specific obligations for data controllers and regulates collection, processing, holding and use of personal data through six data protection principles. Like other data privacy regimes, this ordinance has extraterritorial application; however, its jurisdictional tests may not always be as straightforward.

Before proceeding further, one must carefully consider if the data in question constitutes personal data as defined under the PDPO. Personal data defined under this act includes all data related to identifiable or identifiable individuals and may result in transfers outside its transfer restrictions even where transfer intentions exist.

Depending on whether or not the data relates to a living person, additional concerns arise. Under Hong Kong’s Personal Data Protection Ordinance (PDPO), data users must have a lawful basis for each purpose they collect, process or use personal data for before transferring it outside Hong Kong. Usually a transfer would be approved if its new purpose falls under one of six permitted grounds for processing.

Under the PDPO, it is illegal for data users to transfer personal data without first informing the data subject about it. In such instances, data users must provide written statements outlining why and to whom their personal data has been transferred as soon as possible.

Similar to Hong Kong law, the PDPO restricts disclosure of personal data outside Hong Kong without first seeking consent from its subject, unless disclosure is necessary for contract performance or legal compliance – this could potentially make it challenging to transfer certain kinds of personal data commonly used by telemarketers for unsolicited marketing calls to mainland China, where regulations regarding this practice can be much stricter.