In the business world, data hk is vital to make more informed and efficient decisions. It is a key tool to improve customer satisfaction, understand market trends or identify potential problem areas. Nevertheless, the collection and analysis of information is also subject to certain data privacy regulation that must be respected. Data transfer between businesses is common and must be conducted in compliance with local law. Padraig Walsh from Tanner De Witt guides you through some of the key points to consider when transferring personal data between jurisdictions.
The purpose of the Hong Kong Personal Data Protection Policy (“PDPO”) is to protect the privacy of individuals. The PDPO contains six Data Protection Principles (DPPs) which form core data obligations for all data users. DPP1 states that the data user must expressly inform a person on or before collecting their personal information of the purposes for which it will be used. DPP3 states that the data user may not transfer personal information to a class of persons which was not specified in the PICS without the consent of the data subject.
Section 33 of the PDPO prohibits the transfer of personal data outside of Hong Kong unless certain conditions are met. It is important to note that the requirement to satisfy the six DPPs also includes a requirement to obtain a voluntary and express consent from the data subject.
While imposing restrictions on the transfer of personal data, section 33 also provides some exceptions. It is important to understand the scope of these exceptions so that the necessary steps can be taken to ensure compliance with PDPO.
The statutory exceptions are designed to provide a balance between the rights of individuals and the legitimate business interests of organisations. In some cases, this may mean that a personal data transfer is required for the performance of a contract. In other cases, it is a matter of public interest and may be necessary for the prevention of serious crimes.
There has been much debate regarding whether or not the statutory exemptions should be changed, particularly in light of increased cross-border data flow. The business community has argued that increased data flow is the lifeblood of Hong Kong’s economy and that limiting this flow would jeopardise Hong Kong’s competitive advantage. This view was backed up by the PCPD which stated that “it is not appropriate to amend a legislative provision which has served its purpose for many years”.
While it may seem counter-intuitive, the Hong Kong position on this issue does not appear to be out of step with international trends. Perhaps it is time to re-evaluate this position, given the increasing need for efficient and reliable means of transferring personal data between mainland China and other jurisdictions internationally. In addition, the rapid evolution of data privacy laws in mainland China under the “one country, two systems” principle will likely increase the need for this type of legislation. We will keep you posted.