The PDPO and Data HK

Data hk is the Hong Kong-based news portal for news and commentary on data privacy, data protection and related issues. Established in 1996, it has become an indispensable source of information and insight on data matters in Hong Kong and beyond. The website covers developments in the law, best practice and industry trends. It also provides guidance for businesses on data privacy matters and offers a platform to exchange views on the subject.

As with all data privacy laws, the PDPO is not a monolith; its application and interpretation differs across industries and sectors. It is important for businesses to consider whether the PDPO applies to them before they collect personal data and how this might affect their business practices.

Whether the PDPO applies to a person or organisation depends on their control of the collection, holding, processing and use of personal data. This is determined by considering whether the data is collected, processed or used in, from or with a base in Hong Kong or on Hong Kong soil. The definition of “personal data” in the PDPO is similar to international norms. The term is broadly defined to include any information relating to an identified or identifiable individual, including any expression of opinion about that individual.

The PDPO contains a number of provisions that apply to the use of personal data, including restrictions on the uses of such data and obligations on data users to inform and obtain consent from data subjects. The PDPO also prohibits the use of personal data for direct marketing, and failure to comply with this is a criminal offence punishable by fine or imprisonment. The PCPD has investigated and prosecuted a number of individuals in connection with their use of personal data for direct marketing purposes in recent years.

Cross-border data transfer

A key feature of the PDPO is its stipulation that a data user must comply with a range of obligations in respect of any personal data transferred to another location outside Hong Kong, including a requirement to carry out a transfer impact assessment (DPP 5). This is often referred to as the “opt-in” regime since it requires a clear and unambiguous choice by the data subject before the personal data can be transferred.

The PDPO also imposes an obligation to adopt contractual or other means to prevent personal data transferred to processors within or outside Hong Kong from being kept longer than is necessary for the purpose of processing the data. The PDPO also requires a data user to impose such safeguards on its agents and contractors, even where they are located overseas, unless it can be demonstrated that such measures are not practicable or reasonable in the circumstances. This requirement is not as onerous as it might appear at first glance, and may be negotiated in the form of separate contracts or schedules to main commercial agreements.