A Hong Kong business may be liable to GDPR where it offers goods or services to data subjects in the European Economic Area (EEA) or monitors their behaviour in the EEA (meaning tracking them on the internet). The PCPD has issued extensive guidance on how a data user might comply with these obligations, including putting into place contractual arrangements to protect personal data in the event of transfers of personal data outside Hong Kong. Such contracts can take many forms: they could be separate agreements, schedules attached to a main commercial agreement or contractual provisions within the overall commercial arrangement. However, they are critical to protecting personal data in the event of a transfer of personal data out of Hong Kong.
The PCPD also published two sets of recommended model contractual clauses. These address the most common scenarios: a transfer from one data user to another; and a transfer between two entities both of which are data users. The drafting of such arrangements is relatively straightforward and does not need to be a time-consuming exercise for businesses.
One of the more significant aspects of the PDPO concerns the requirement for a data user to expressly inform a data subject on or before the collection of his personal data about the purposes for which it will be used and about the classes of persons to whom it might be transferred. A data user must also obtain the prescribed consent of a data subject for any change of use (DPP 1(1)).
A further aspect is that a personal data use can be deemed to have taken place when it is disclosed or transferred, even if it has not been collected with the intention of using it for that purpose. For example, a photograph of a crowd attending a musical concert would be deemed to be the collection of personal data for this reason, even though it is not intended to identify particular individuals. This principle is reflected in the drafting of the PDPO and has been interpreted in various cases by the PCPD.
There are other important points to note. For instance, a data transfer is only permitted where the lawful basis for the processing of that personal data has been established (DPP 7(1)). A business should review its data processing activities and consider whether the lawful basis remains valid in light of recent developments in respect of personal data protection.
There are a growing number of circumstances in which it will be necessary for a data user to conduct a transfer impact assessment in relation to its proposed export of personal data. This will involve an evaluation of the foreign jurisdiction’s legislation and practices to see if they meet the standards required under the PDPO. It will also involve an examination of the need for supplementary measures to be taken, which might include technical or contractual measures. These might include encryption, anonymisation or pseudonymisation; data security breach notification and response; and compliance support and co-operation with the foreign supervisory authority.