The data hk was at the forefront of modernising data protection laws in Hong Kong. There is a statutory restriction in section 33 which prohibits the transfer of personal data to a place outside Hong Kong, unless certain conditions are fulfilled. There is also a requirement to provide a data subject with information on their rights and the processing arrangements in force in respect of such transfers. These requirements are important and must be taken into account in the context of any cross-border transfer of personal data.
Data protection law defines the term ‘personal data’ in a broad way, and it encompasses all data that can be used to identify an individual (as opposed to business or commercial data). It includes, for example, names, HKID numbers and other biometrics, photographs and addresses. Personal data also includes sensitive personal data, such as health and medical records and financial details.
It is a criminal offence to use personal data for direct marketing without the prior consent of the individual concerned. Moreover, if the person gives his or her consent, it must be in writing and freely given.
There are a number of measures to protect personal data from unauthorised or accidental access, processing, erasure or loss. In addition to these general provisions, there are specific provisions in relation to the protection of personal data transferred overseas.
These include the requirement to adopt contractual or other means to prevent a data processor in a foreign jurisdiction from unauthorised or accidental access, processing, or erasure of personal data transferred to it for processing, or from retention for longer than necessary for that purpose. This is an important requirement for businesses that are transferring personal data abroad.
In addition, there is a requirement to ensure that any third party that is processing personal data on behalf of the data user will comply with the data protection principles set out in the PDPO. This is an important consideration when a business is considering transferring personal data overseas, particularly where the third party is located in a country that does not have data protection legislation comparable to that of Hong Kong.
If the personal data that is being transferred is sensitive, it is a criminal offence to do so without the express consent of the individual concerned. Furthermore, the data exporter must be able to prove that he or she has complied with all of the other data transfer requirements in the PDPO before a data transfer can take place.
It is becoming increasingly common for Hong Kong businesses to be involved in transfer impact assessments, especially where they are data importers of personal data from EEA countries. In such circumstances, the data importer will need to agree to the standard contractual clauses proposed by the EEA data exporter and undertake a transfer impact assessment. A transfer impact assessment will often need to be agreed and executed by a lawyer. Alternatively, it may be included as an addendum to the main commercial agreement between the data importer and the data exporter.