Data Protection Principles in Hong Kong

The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) provides a robust legal regime that establishes data subject rights, imposes specific obligations on data controllers and regulates the collection, holding, processing and use of personal data through six data protection principles. It came into force on 20 December 1996 and was amended in 2012 and 2021.

The PDPO lays down the general rules for the protection of personal data in Hong Kong and gives effect to international treaties such as the EU’s Data Protection Directive. It also makes provision for extraterritorial application where it is reasonable and necessary to do so in a particular case.

While the PDPO is not designed to protect data against the risks of international transfers, there are a number of safeguards that are provided for in the PDPO. These include:

A requirement to ensure that the classes of persons to whom personal data may be transferred can reasonably be expected to understand the purpose and nature of the transfer (DPP 1)

Requirements to comply with obligations of disclosure and notice in the event that personal data is subsequently disclosed for a different purpose from the one originally contemplated by the data user (DPP 3).

Recommendations for contractual clauses that are designed to be included in contracts involving a cross-border transfer of personal data and which address the protections required by the PDPO, including DPP 1 and 3.

A right for a data subject to require a business to notify it of any unauthorised access, processing, erasure, destruction or disclosure of their personal data (DPP 4). Requirements for a data user to adopt procedures to protect personal data entrusted to it or its sub-processors from unauthorised access, processing, erasure, loss or disclosure, including but not limited to the adoption of security measures appropriate to the sensitivity of the data (DPP 5).

It is also important to note that, unlike GDPR, the PDPO does not contain any express provisions conferring extraterritorial application. However, the PDPO does recognise that the rights and obligations of the data users set out in the PDPO apply to data processed outside Hong Kong by a data processor or for purposes that are carried out outside Hong Kong.

As a result, the data hk legal landscape is complex and businesses should remain cognizant of both local and international laws and guidance in respect of their governance of personal data. A failure to do so could expose a business to litigation, regulatory action and/or sanctions. It is also important to be aware of the potential implications arising from agreeing to standard contractual clauses proposed by EEA data exporters. In doing so, a Hong Kong data importer will be submitting itself to the jurisdiction of and will co-operate with the competent supervisory authority of the originating country in any proceedings that are aimed at ensuring compliance with those clauses. This can be a significant and onerous obligation. It is therefore recommended that businesses consult their lawyers on the best ways to meet those obligations.