Data hk refers to the personal data of individuals which may be collected, processed or used. Such data may be transferred or disclosed to third parties for various purposes, such as marketing, research and analytics, and for processing payments.
The collection of data hk is governed by the Hong Kong Data Protection Ordinance (DPO). The DPO provides that no person shall be subjected to arbitrary interference with his privacy, family, home or correspondence or to unlawful attacks on his honour and reputation. In the context of a globalised economy, it is inevitable that such data will be transferred across borders for business purposes. Hence, the DPO requires that data users take steps to ensure that the transfer of their personal data to foreign jurisdictions is done so in compliance with the DPO.
In this respect, section 33 of the DPO provides for a transfer impact assessment to be carried out prior to transferring any personal data overseas. In addition, the PCPD has recently published a set of recommended model clauses for inclusion in contracts dealing with data transfers, and which are designed to facilitate voluntary compliance with section 33.
A transfer impact assessment is a useful tool for businesses when considering the export of personal data abroad. The purpose of the assessment is to assess whether the personal data exported will enjoy a level of protection similar to that provided in Hong Kong. Depending on the results of the transfer impact assessment, the data exporter may be required to either suspend the transfer or implement adequate supplementary measures. These supplementary measures may include technical measures such as encryption, anonymisation or pseudonymisation; or contractual measures such as beach notification, audit, inspection and reporting, and compliance support and co-operation.
An important issue with the use of these model clauses is that they impose obligations on data users to adopt measures designed to prevent the unauthorised access, processing, erasure or loss of personal data transferred for processing outside Hong Kong, even where such incidents are beyond the control of the transferring entity. This is a significant departure from the position in other jurisdictions such as Europe, where the GDPR recognises that a data user must be held accountable for the acts of his agents, including those located abroad.
Another point to note is that the definition of personal data in the Hong Kong DPO is not updated with the introduction of new international norms on what constitutes “personal data” such as that contained in the PIPL and the GDPR. The PCPD has lobbied for an update to the definition, and this will likely be incorporated in a future revision of the DPO. As things stand, the current definition in the DPO is broad and potentially encompasses a wide range of information which is unlikely to be considered as personal data by most people. This may include photographs of crowds attending a concert, CCTV recordings of persons entering car parks and records of meetings which do not identify individual speakers or participants.