GovHK and the PDPO

Data is becoming increasingly central to the economy, both for businesses and individuals. The success of digital products and services depends on the availability of large volumes of data. In today’s digital economy, data is analogous to physical capital – it is an economic factor of production that can be leveraged for competitive advantage. As a result, the protection of personal data is now an essential part of any business’s management regime.

In the case of GovHK, data is used in a variety of ways to improve our services. For example, we use data to record the number of visitors to our website and to understand how people interact with our web pages. This information is anonymous and does not contain any personal identifiable information. This data is gathered by cookies and page tagging. We also use the data to monitor and report on trends in how people access and navigate GovHK.

The Government takes its responsibility for protecting personal data very seriously. However, we must balance this with the needs of our users and the wider public interest. To do this, we carefully consider the impact of our data use on privacy and freedom. We also work with our stakeholders to ensure that we use personal data fairly, transparently and in compliance with the law.

The PDPO defines “personal data” as any data that relates directly or indirectly to an identified or identifiable individual. This definition is broadly consistent with the meaning of the term in other legal regimes such as the PIPL and the GDPR.

It is a core principle of the PDPO that personal data must only be collected for a specific purpose, and cannot be used for other purposes without the explicit consent of the individual concerned or the approval of the Personal Information Protection Commission (“PCPD”). However, there are several exemptions from this rule: (i) for safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection; (ii) for assessment or collection of any tax or duty; (iii) for preventing unlawful or seriously improper conduct, news activities or legal proceedings; or (iv) in life-threatening emergency situations.

A further exemption is that personal data may be transferred outside of Hong Kong if the PCPD has been notified and consent given in writing by the data subject or their representative. The PDPO further provides that the transfer of data for a new purpose requires the PCPD’s prior consent, unless there are vital reasons for such a transfer.

This is one of the key issues that is being debated in connection with proposed amendments to the PDPO. The intention is to tighten the regulation by requiring data users to formulate a clear policy on how long they intend to keep personal data for. In the absence of such a requirement, a person would be likely to struggle to ascertain a data user’s policies and practices on personal data retention. This is precisely the type of uncertainty that data protection laws are intended to eliminate.