Data hk is a free portal with access to over one million open data sets from international, EU and Hong Kong sources. The site provides reports, statistics and forecasts on industries, economies and consumers worldwide. The site is easy to navigate and offers a free publication list of top trends and insights. A fee is charged for access to more detailed data.
The Personal Data (Privacy) Ordinance (“PDPO”) does not contain a statutory restriction on the transfer of personal data outside Hong Kong. However, that does not mean there are no protections in respect of cross-border data transfers. There are a range of onerous obligations on the part of data users which must be complied with when transferring personal data overseas. These are set out in the PDPO’s six key data obligations and also include an obligation to notify of the purpose and collection of personal data (DPP1), and to specify classes of persons to whom the information may be transferred (DPP3).
Firstly, it must be remembered that the definition of “personal data” is broad and includes any information that can be used to identify an individual. This means that a photograph of a crowd attending a concert may be considered to be the collection of personal data in Hong Kong, provided it is not taken for the purposes of identifying any particular individuals. Similar examples would be CCTV recordings, logs of people entering car parks and records of meetings which do not identify speakers or participants.
The first obligation that a data user must fulfil is to ensure that it has an appropriate legal basis for the transfer of personal data overseas. This requires a review of the PICS and consideration of whether or not the intended destination country’s laws and practices offer sufficient protection. It is also important to consider the level of scrutiny that a data subject might have of the proposed transfer and whether or not that constitutes a new purpose which needs to be notified to the data subject (DPP3).
Finally, if the assessment indicates that the intended destination country does not meet the required standard, it will be necessary for the data exporter to identify and adopt any supplementary measures that bring the level of protection up to the standard in Hong Kong (DPP 3). This can take the form of contractual provisions, beach notifications or technical measures such as encryption, anonymisation or pseudonymisation.
It is conceivable that the need to ensure efficient and reliable means of transferring personal data with mainland China and internationally will drive change in Hong Kong in relation to section 33, but in the meantime it is worth bearing in mind that there are significant obligations in respect of cross-border data transfer which should not be ignored. It is hoped that this article has given some insight into those issues and that it will serve as a helpful reference tool for those involved in the business of transferring personal data overseas.