The Data Protection Law in Hong Kong

The data hk website provides detailed information on the data protection laws of Hong Kong and is an invaluable resource for both local and international businesses. It provides a comprehensive overview of the data protection regime and covers all aspects of the legislation including:

What is the law in Hong Kong?

The Hong Kong Personal Data Protection Act (“PDPA”) contains no statutory restriction on the transfer of personal data outside Hong Kong. However, there are a number of circumstances in which it may be necessary for a business to carry out a transfer impact assessment and in some cases to implement adequate supplementary measures.

A transfer impact assessment is a process by which a business must consider the potential adverse effect of a proposed personal data transfer on individuals’ rights and freedoms, taking into account the purposes for which the personal data is being transferred and the identity of the recipient. If there is an adverse outcome to a transfer impact assessment, then the data exporter must suspend the transfer and take steps to mitigate the adverse effects, or otherwise ensure that the personal data is not processed in a way which violates those individual’s rights.

It also looks increasingly possible that section 33 will never come into operation in Hong Kong – it is not the most popular piece of business legislation in Hong Kong. Resistance from the business community to implementing it has gathered momentum over time, with concerns about the impact on business operations, difficulties in complying and the cost of doing so.

Nevertheless, the PDPO does set out a series of onerous obligations that data users must fulfil in respect of personal data transfers, and there are detailed guidelines on how to do this. Those obligations include:

A requirement to provide the class of persons to whom the personal data may be transferred and the reasons for transferring it (DPP1 and DPP3). A requirement to adopt contractual or other measures to prevent the personal data transferred from being kept longer than is necessary for processing of that data (DPP 2(3)). A requirement to ensure that any personal data that is transferred to a third party is only used for the purpose specified by the transferor (DPP 4(2)).

In addition, there are specific requirements in respect of transfers of sensitive personal data which must be complied with (DPP 5). Finally, there is a requirement to comply with standard contractual clauses which have been agreed between EEA data exporters and the recipient country’s data protection authorities in order to secure safeguards that are comparable to those provided under the PDPA. Those clauses can be incorporated into contracts or schedules to other commercial arrangements, and may be in the form of standalone documents or as contractual provisions within a wider commercial agreement. The form ultimately does not matter, but the content is of crucial importance.