Padraig Walsh, Partner and Data Privacy Group Lead at Tanner De Witt
It’s become increasingly common for businesses to arrange cross-border data flows to and from the Greater Bay Area (GBA). For this reason, it’s important that those involved in these arrangements are aware of their data protection responsibilities.
A key issue for business is whether there are any statutory restrictions on data transfers under Hong Kong law. While a statutory restriction on data transfer is not in place, there are still many obligations under the Personal Data Protection Ordinance (PDPO) that must be met by data users when transferring personal information abroad.
The PDPO defines personal data as information that relates to an identifiable person. It imposes rights on data subjects, and specific obligations to data users through six data protection principles. The definition of personal data is very similar to the definition used in other legislative regimes – for example, the Personal Information Protection Law that applies in mainland China, and the General Data Protection Regulation that applies across Europe.
Under the PDPO, data users must notify data subjects of the purposes for which their personal information is collected, and of the classes of persons to whom it may be transferred. This obligation can usually be fulfilled by means of a personal information collection statement (PICS) that must be given to data subjects at or before the time when the PICS is originally collected.
Another requirement under the PDPO is that, before making a transfer of personal data, a data user must verify that the class of persons to whom the information will be transferred is adequate. This obligation is somewhat less onerous than the verification of the adequacy of the class of individuals required under GDPR, but it is nonetheless an important safeguard to prevent unauthorised and incompatible processing of data.
Finally, under the PDPO, a data user must not disclose or permit the disclosure of any personal data in a way that would be likely to lead to harm to the data subject. This is an important safeguard to ensure that data users do not misuse or exploit personal data by distributing it to a third party without good reason or for malicious purposes such as for the purpose of direct marketing.
As businesses consider how to arrange their cross-border data transfers, it’s vital that they take into account all of the relevant obligations under the PDPO and other legislation in their jurisdictions. This will help them reduce their exposure to regulatory risk and promote efficient compliance with data transfer regulation. To learn more, download the full guide to data hk. For a free consultation on your specific data transfer needs, contact us here. Our team of experts can help you navigate the complex issues that can arise when transferring data internationally. We’ll ensure that you have a complete understanding of your regulatory obligations, so that you can make confident decisions about how to manage your global data flow.