If a person does not have any operations controlling the collection, holding, processing or use of personal data in, or from Hong Kong, then the PDPO will not apply to him. This reflects the fact that personal data protection law in Hong Kong is not a concept of jurisdictional scope, as is the case with most other jurisdictions, but rather is based on an operation’s control of such activities.
The PDPO defines personal data to mean any information which relates to an identifiable natural person. This definition has been in place since the PDPO was first enacted, and is consistent with international norms. It is somewhat more restrictive than the meaning given to the term in other data privacy laws – for example, the personal data protection law that applies in mainland China, and the European Union’s General Data Protection Regulation.
This article will explore some of the key steps that must be taken in order to ensure that a transfer of personal data to, or from, Hong Kong is conducted in compliance with the PDPO. In addition, the article will consider some of the issues that may arise when a data transfer is carried out using “cloud services” or other forms of offsite storage and hosting.
In most cases, a data transfer to, or from, another jurisdiction will require the consent of the data subject. The PDPO requires that a data user who intends to transfer personal data must obtain the voluntary and express consent of the data subject, unless a specific exception applies. This requirement has been a significant departure from other data privacy regimes, where the principle of explicit consent is generally not enforceable in relation to a cross-border transfer.
Once a data transfer has been completed, the data exporter must make sure that it does not re-use the personal data for any purpose which is not in line with the original purpose for which it was collected (i.e., the data must be “de-identified”). The PDPO requires that a data exporter review its Personal Information Collection Statement to ensure that it has disclosed the fact that personal data will be transferred outside of Hong Kong and the underlying grounds. This is a significant step, but it is not as onerous as the equivalent obligation in GDPR.
Data governance is a set of practices and procedures that are designed to ensure that your organization’s information is used appropriately. Developing and managing a data governance framework is not easy, and you will need to carefully consider your organizational structure and goals before getting started. Ideally, your data governance team should include both business and IT subject matter experts – i.e., a business analyst with experience in your industry and an IT systems architect with an understanding of the technical aspects of your information management programs. This combination will help to ensure that your data governance program is successful and is fully aligned with the rest of your business operations.