Data hk is a legal requirement for businesses that transfer personal data abroad. It is a requirement under the Hong Kong Privacy Ordinance, which came into effect in May 2016. The ordinance sets out a number of principles that companies must adhere to when transferring personal data overseas. Those principles include providing clear notice to the data subject and the purposes for which personal information will be used. The law also requires that companies ensure that the personal data they transfer to a foreign jurisdiction is processed in accordance with local laws. This requirement is particularly important if the company processes personal information that is sensitive, such as medical records or financial information.
Despite the apparent need for greater protection of personal data, many businesses remain reluctant to implement data hk. This is largely due to the perceived negative impact on business operations and the difficulties in complying with the requirements of data hk. Those that are willing to comply will find that they must comply with the full range of obligations set out in the ordinance. This includes the obligation to provide a data protection impact assessment and to obtain the consent of the data subject before transferring personal data.
The Hong Kong Privacy Commissioner has published recommended model contractual clauses for businesses that wish to transfer personal data abroad. These clauses address two scenarios: the transfer of personal data from a data user to another data user; and the transfer of personal data between entities that are both outside Hong Kong but controlled by a Hong Kong data user. In both cases, the model contract stipulates that the data importer must comply with the PDPO and its DPPs in respect of any use or processing of the transferred personal data.
In addition to implementing the model contract, it is also advisable for a data exporter to take legal advice in respect of its contractual arrangements with data importers. This will help to ensure that the arrangements meet the requirements of the relevant data protection laws of the destination jurisdiction and that the provisions will be enforceable. In the event of a complaint, it will also be helpful for the data exporter to have documentation that shows that it has complied with the applicable data protection laws of the destination jurisdiction.
A further concern is that there are no statutory restrictions on the transfer of personal data between Hong Kong and countries that do not have data protection laws comparable to those of Hong Kong. This could potentially undermine the reputability of the city as an international business hub. It is therefore hoped that the Government will consider introducing a similar exemption to section 33 of the PDPO in order to ensure that it remains a world-leading business and data centre hub. However, until such changes are made, it is important for businesses to understand their obligations under the current data hk framework and how these may differ from those in other jurisdictions.