Personal Data Obligations in Hong Kong and Other Jurisdictions
Despite the proliferation of data and its many uses, some organisations may be confused about their obligations in respect of this information. Taking a step back and clarifying the legal definitions of personal data in Hong Kong and other jurisdictions can help businesses to ensure they have the measures in place to comply with their data-related obligations. This exercise, together with a data mapping exercise, can also help businesses to identify and differentiate between personal data that is subject to privacy laws, and other information they hold that falls outside those rules.
Amongst the most challenging of these obligations is the requirement to carry out a transfer impact assessment before transferring personal data abroad. While the requirement to conduct a transfer impact assessment is not mandatory under Hong Kong law, there are increasing number of circumstances where a business operating in Hong Kong will be required to undertake one by virtue of the application of laws of other jurisdictions (most commonly in connection with data exports from the European Economic Area to Hong Kong).
The first question to ask when assessing whether a transfer impact assessment is needed is whether the information being transferred is ‘personal data’. The definition of personal data in Hong Kong is broad and encompasses descriptions or identifiers that point to or are relatable to an identifiable person. This includes IP addresses, residential address and website cookies.
Another consideration is whether the information being transferred has been collected for a particular purpose, and will be used for that same purpose. If the data is being used for a different purpose, then it is a new use and the requirements of the PDPO must be met. This may include obtaining the voluntary and express consent of the data subject.
For example, the PDPO requires that a data user obtains the express consent of the data subject before he transfers the data to an entity which intends to use it for direct marketing purposes. This consent must also be obtained before the data is used for other types of processing such as analytics or research.
In addition to these requirements, the PDPO imposes further requirements on data users who transfer personal data abroad. These include a requirement to adopt contractual or other measures which prevent personal data being kept longer than necessary for the purposes of processing it, and a requirement to protect personal data from unauthorised access, processing, erasure, loss or disclosure, including by virtue of its transfer (DPP 2(3)).
If a data user wishes to avoid having these obligations imposed on him, then he must consider obtaining the express and voluntary consent of the data subject before transferring the data abroad. This would be the only way for a data user to avoid having to complete a transfer impact assessment and to comply with the six core data protection principles under Hong Kong privacy law. In addition, the data user must make it clear to the recipient that he will be responsible for compliance with the PDPO in respect of the transferred data.