Data privacy in Hong Kong is a critical aspect of business, yet many enterprises struggle with how best to manage this risk. Padraig Walsh from Tanner De Witt’s data privacy practice group will assist you with understanding all statutory requirements related to data transfers in Hong Kong.
As part of understanding data transfer issues under PDPO and DPPs, it is critical to grasp their interpretation. A key point here is that anyone controlling the collection, holding, processing or use of personal data outside Hong Kong constitutes “data users”.
The definition of personal data contained within the PDPO is also crucial. While not changed since its implementation, its wording complies with international norms such as GDPR’s definition that defines it as information which identifies an individual – including but not limited to name; identification number; location data; online identifier and factors specific to physical, physiological, genetic mental economic cultural or social identity of an identified or identifiable natural person.
For data users to be able to transfer personal data internationally, the consent of the data subject must first be secured voluntarily and expressly prior to initial collection of personal information. As best practice suggests, this should be included in a Personal Information Collection Statement (PICS).
Once consent has been obtained, data users are subject to various obligations when transferring personal data overseas, including but not limited to making sure the overseas recipient complies with Data Protection Principles (DPPs).
Final consideration should include whether there are any laws or practices in a foreign jurisdiction which might inhibit effective implementation of Data Protection Principles in an international data transfer. This is especially relevant when transfer occurs for direct marketing purposes – one of the PCPD’s primary enforcement activities.