Data hk is a legal concept that stipulates a person cannot be subjected to arbitrary interference with his privacy, family, home or correspondence, or unlawful attacks on his honour and reputation. The concept is based on Article 14 of the Hong Kong Bill of Rights, and is reflected in the Hong Kong Personal Data Protection Ordinance (PDPO). The law also stipulates that no one may be subjected to unfair competition or false advertising, or to unwarranted surveillance or data retention.
The PDPO contains six data protection principles that form the core of personal data obligations under Hong Kong privacy law. The law requires all persons that process personal data to comply with these principles, and it sets out various specific obligations in respect of particular activities, such as consent, disclosure, and collection. The PDPO has been amended many times over the years, most significantly in 2012 and 2021.
As data flows around the world continue to increase, it is important to have a clear understanding of the scope of the PDPO’s provisions in relation to international transfers of personal data. The PCPD has published guidance on cross-border data transfers and recommended model clauses to include in contracts. It has also commissioned a study to assess the impact of data transfers on the business community, and contributed to it.
The scope of the PDPO is very broad, and it applies to almost any activity that involves processing personal data, regardless of whether the purpose of the processing is commercial. However, there are some limits to its application. First, it is important to consider whether the data is actually personal data. The law defines “personal data” very broadly, and it includes any information that can be used to identify a person. The intention of the person acquiring the data is a key factor here – if the data is not collected with a view to identifying a particular individual, then issues in respect of data transfer will not arise.
If the PDPO does apply, then the person transferring the data will have significant and onerous obligations to fulfil, including the requirements to comply with Data Protection Principles 1, 2, and 3. This means that they will need to ensure that the personal data is collected for a lawful purpose, and that it is not transferred to a third party without the prescribed consent of the data subject.
The other requirement will be to adopt contractual or other measures to prevent the personal data transferred to a third party, whether in Hong Kong or abroad, from being kept longer than is necessary for processing (DPP 2(3)). The law also requires that a person obtains the consent of the data subject to transfer their personal data before doing so, unless there are special circumstances. These requirements will have a significant impact on the way business is conducted, and will be reflected in the terms of any agreements between data users. Those arrangements can be in the form of separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial agreement.