Data hk is Hong Kong’s statutory data protection authority. Its purpose is to uphold and enforce individual privacy rights, and impose specific obligations on data controllers – notably in relation to the collection, processing, holding and use of personal information – through six core data protection principles. The data hk authority also investigates serious data breaches and takes enforcement action against those that commit them, in particular by imposing hefty fines.
The data hk authority is an independent regulatory body. It was established in response to growing concerns about privacy breaches and the erosion of individuals’ rights, largely in the lead-up to Hong Kong’s handover from UK to Chinese control in 1996. Its main regulatory instrument is the Personal Data (Privacy) Ordinance (“PDPO”).
A person is a “data user” under the PDPO if they control the collection, processing, holding or use of personal data within Hong Kong. If a data user plans to transfer personal data outside Hong Kong, they are required to prepare and issue a Personal Information Collection Statement (“PICS”) for the relevant individuals. Once collected, the PICS will typically prohibit the data user from transferring or using the personal data for a new purpose without the voluntary and express consent of the individual unless a lawful exemption applies.
As well as complying with the PDPO, a data user who is planning a transfer will need to consider the adequacy of the foreign jurisdiction’s laws and practices and undertake a transfer impact assessment. This is an obligation under section 33 of the PDPO, and there are a growing number of circumstances where a data user will need to carry out such an assessment. The PCPD has published guidance in respect of the transfer impact assessment process, including recommended model clauses to include in contracts relating to data transfers.
Once a data transfer has been completed, the data exporter will need to verify that their own and any third party processors are meeting all the PDPO requirements in relation to the processing of the transferred personal data. They will also need to ensure that any contract with a sub-processor is compliant. This can be done by including additional contractual provisions as separate agreements, schedules to the main commercial agreement or as a set of clauses incorporated into the overall commercial arrangement.
There is a sense in which the PDPO, despite its hefty fines and enforcement powers, does not yet have teeth. Some businesses, particularly those that use a lot of data related to the behaviour of individuals, may find this frustrating. However, it is possible that the demand for efficient means of transferring personal data with mainland China and internationally will drive change in the near future. If that does happen, it could significantly increase the compliance measures that must be put in place by data users. This will have a significant effect on the cost of doing business for many.