Data hk is at the heart of the digital economy. It is the lifeblood of Hong Kong’s businesses and is one of the factors contributing to its global standing as an international business hub. However, increased cross-border data flow is raising concerns about the impact of data transfers on personal privacy. In order to maintain Hong Kong’s competitive edge, it is essential for businesses to be able to transfer data across borders while keeping their customers’ information secure.
To address these issues, the PCPD has recently revised the section 33 regulations and recommended model clauses to be included in contracts dealing with data transfers. The aim is to ensure that personal data is transferred outside of Hong Kong only if certain conditions are fulfilled. These include:
One of the most significant changes is that the definition of “personal data” in PDPO has been amended to clarify that it covers not only “information concerning an identifiable natural person” but also information which is capable of identifying that person whether or not it is combined with other information. This change is likely to have a substantial impact on the way that businesses manage their data.
Another important change is that the data transfer prohibition does not apply to a “data user” who has no operations controlling the collection, holding, processing or use of personal data in Hong Kong. This is a significant departure from most other privacy laws which have extra-territorial application.
There are also a number of additional requirements in respect of data transfers that are not found in other privacy laws. These include a requirement to notify data subjects before the transfer of their personal data and to explain the underlying grounds for the transfer (DPP 2(1)). It is also a requirement that the transfered personal data does not be kept longer than necessary for the purpose for which it is being used (DPP 2(2)).
In addition, there are a growing number of circumstances in which a business will need to carry out a transfer impact assessment under PDPO. This is most frequently required in relation to data exports from the European Economic Area (“EEA”) but also applies in some cases where an EEA business offers goods or services to data subjects in the EEA and in some cases where it monitors their behaviour.
Although the PCPD’s revisions to the provisions of data hk have been substantial, many business people remain wary of the practical implications and the difficulties of complying with them. This is probably understandable given that these new requirements are likely to have a considerable impact on business operations. It is therefore vital for businesses to remain aware of the obligations and best practice in this area. This will help them to develop and implement their data protection practices with confidence. It will also enable them to continue to offer a high level of service to their customers, even as the regulatory environment continues to evolve.