Hong Kong Personal Data Protection Ordinance

The collection of data is a vital component for modern business, whether it be to improve operational efficiency or for customer acquisition and retention. However, with the rapid growth in the use of data, it is becoming increasingly important to understand the laws and regulations governing such collection and its use. One such law is the Hong Kong Personal Data Protection Ordinance (PDPO) which establishes data subject rights and specific obligations to data controllers through six data protection principles.

The PDPO’s scope includes both the jurisdictional and operational aspects of data protection. The PDPO’s scope extends to “any person who controls the collection, holding, processing and/or use of personal data” regardless of whether the activities take place in or out of Hong Kong. This definition is a broad one and can apply to many types of entities such as data processing service providers and other intermediaries that are involved in the handling of personal information.

Operationally, the PDPO imposes specific obligations upon data users which require them to notify data subjects of certain key details of the purpose for which their personal information is collected and the classes of persons to whom such information may be transferred. In addition, a data user cannot transfer personal information to another party for a new purpose unless the volunteer express and informed consent of the data subject is obtained.

In order to comply with PDPO, a data user must have in place technical and contractual measures to ensure that the personal information is protected from unauthorised access, processing, erasure or loss, and is only used for the purposes for which it was collected. In the case of a transfer, this can include arrangements to secure such transfers through encryption, pseudonymisation or split processing.

A data exporter must also be prepared to adopt supplementary measures where its assessment of the foreign jurisdiction’s legal and regulatory framework or practices reveals that it does not meet the standard required under the PDPO. These supplementary measures could involve any of a range of techniques or include additional contractual provisions for audit, inspection and reporting, beach notification and compliance support and co-operation.

As the PDPO continues to evolve, there are likely to be further amendments in the future. One change mooted by the Government is to expand the current definition of ‘personal data’ to capture more categories of information that are likely to fall within its scope.

Until this happens, businesses should continue to be mindful of their duties under the existing PDPO and how those might differ from obligations under other data privacy regimes. Padraig Walsh is a partner and head of the Data Privacy practice group at Tanner De Witt. He advises on all aspects of personal data protection, including the PDPO, and international data transfer issues. He can be contacted at padraig@tannerdewitt.com.au or 02 9282 8938. For further information, visit our DataHub. 2018 Tanner De Witt. All rights reserved. This article is provided for general information purposes only and does not constitute legal advice.