Personal Data Transfer Regulations in Hong Kong

No matter the nature of your business, understanding regulatory requirements surrounding data transfers between locations is vitally important. Padraig Walsh from Tanner De Witt provides key points regarding personal data transfer in Hong Kong.

Hong Kong’s data protection laws are set out in the Personal Data Protection Ordinance (“PDPO”). This act establishes data subject rights and requirements on data controllers. Furthermore, six data protection principles regulate how personal data should be collected, processed, held, used and disclosed.

One of the principles underlying data usage is that data users should only collect personal data necessary for their purposes, making clear to individuals what those purposes are and why their personal information will be needed; fulfilling this obligation usually means providing them with a data collection statement prior to collecting their personal information.

The PDPO stipulates that data users must obtain express consent before using data subjects’ personal information for direct marketing activities, typically by asking them to check a box on an online form. Once granted, this consent can be revoked at any time.

Data exporters must also consider applicable national legislation when exporting data abroad, including European Union’s General Data Protection Regulation (“GDPR”). With cross-border transfers, GDPR requires data exporters to agree on standard contractual clauses as well as conduct or assist in conducting a transfer impact assessment where personal data is exported to an entity within EU borders.

Under the PDPO, an exporter of personal data must ensure they have appropriate security measures in place in the destination country to safeguard personal data transferred; typically this can be accomplished via a data processing agreement or binding corporate rule.

Data transfers across jurisdictions are a necessity in modern businesses, yet understanding each jurisdiction’s regulatory requirements in order to minimize business risk and ensure efficient compliance is key. Padraig Walsh from Tanner De Witt Data Privacy practice group offers some insight on Hong Kong regulations which govern personal data transfers.

Hong Kong also has additional regulations in place that address data transfers. The PCPD has issued guidance for cross-border transfers with recommended model clauses to include in contracts dealing with data transfer; and has conducted research into the application of Section 33 while offering its comments to that study.

Future changes could occur regarding Section 33 as Hong Kong and mainland China become more integrated through the “one country, two systems” principle. As well, data transfer volumes between Hong Kong and mainland China may grow with deeper integration between businesses and social life between both jurisdictions; all this necessitates an effective legal basis for data exchange between these regions.