The Hong Kong SAR, like many other jurisdictions, has a range of data protection laws. It is a good idea for businesses to familiarise themselves with those laws, and with the legal framework that binds them to those laws. This article explains some of the issues and considerations that arise when dealing with personal data in Hong Kong.
One of the core requirements under Hong Kong’s privacy laws is that a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. The PCPD has also made clear that a transfer of personal data can only occur where the consent of the data subject has been freely given and specific.
Those are important points, and the PCPD has produced comprehensive guidance on how to comply with those obligations. However, there is a growing body of evidence that the business community has moved away from advocating for section 33 of the PDPO to be implemented as a policy objective and towards a view that it is not needed in the face of increasing international flows of personal data. This view is based on the recognition that increased cross-border data flow is a vital part of the economy, that the PDPO already provides a robust set of rules and mechanisms for protecting that data, and that there is little evidence that those PDPO provisions have been undermined by the large volume of cross-border data transfers that take place.
There is also the important point that, even if a data exporter fails to comply with the terms of a binding decision by a competent supervisory authority of the destination country, that failure does not automatically trigger an adverse transfer impact assessment under the PDPO. In fact, it is quite possible that the application of adequacy regimes in mainland China and internationally will drive the need for such an assessment out of existence.
As the PCPD has pointed out, a data exporter can satisfy its obligation to implement adequate supplementary measures by entering into standard contractual clauses proposed by an EEA data exporter under GDPR, which include a commitment to submit itself to the jurisdiction of and co-operate with the competent supervisory authority of the destination country in any procedure aimed at ensuring compliance. These arrangements can be made either in separate agreements or as Schedules to the main commercial agreement with the data importer. This is a sensible arrangement for business to enter into, especially as it can provide a strong argument that the contractual arrangements fulfil the requirements of the PDPO without requiring an adequacy assessment.