The PDPO and Cross-Border Data Transfers in Hong Kong

Hong Kong is one of the world’s leading hubs for international data transfers and a key participant in the global digital economy. Its unique position as a special administrative region with its own laws and regulations and its long history of promoting openness, transparency, and good business practices, has allowed it to maintain an internationally respected data protection regime. This regime is based on the Personal Data Protection Ordinance (PDPO), which was first enacted in 1996 and amended in 2012 and 2021. The PDPO establishes data subject rights, specific obligations to data controllers, and regulates the collection, processing, holding, and use of personal data through six data protection principles.

The PDPO also prohibits the transfer of personal data to third parties without the consent of the data subject. This is a key restriction in the context of cross-border data transfers. In order to satisfy the requirements of this principle, it is necessary for a data user to expressly inform the data subject on or before the original collection of his personal data of the purposes for which the information will be used and the classes of persons to whom the information may be transferred. The PCPD has published two sets of recommended model contractual clauses to facilitate this process.

In addition, a data user must ensure that the processor has been instructed not to use or disclose personal information transferred to it by the transferring data user in a way that is inconsistent with the agreed purpose of processing. The transferring data user must further ensure that the processor undertakes to implement appropriate technical and organisational measures to safeguard the personal data and prevent unauthorised access, processing, erasure, loss or use of such information.

These requirements are not negotiable and apply whether the transferring data is being processed in Hong Kong or outside of it. As a result, the requirement to comply with all aspects of the PDPO is often viewed as an obstacle to data transfer and business operations. The perceived costs of compliance, a perception that the protections provided by the PDPO are not practical in a global business environment, and the difficulty of complying with cross-border data transfer requirements have led to some businesses avoiding the PDPO altogether or, at best, making only minimal efforts to meet its requirements.

Nevertheless, there is growing concern that the status quo could change significantly with the deeper integration of business activities and daily life between Hong Kong and mainland China under the “one country, two systems” policy. In light of this, it is important for businesses to remain aware of the PDPO and to continue to follow best practice and ethical standards in their governance of personal data. Achieving this is not always easy, but it can be achieved. By taking these steps, companies will ensure that they continue to be able to conduct international data transfers with confidence and integrity. By retaining a high level of data protection, businesses will have peace of mind that they are doing so in compliance with the law.