Personal Data Protection in Hong Kong
The first step to consider is whether personal data is being collected. For example, a photograph of a crowd attending a music concert is not the collection of personal data unless the photographer intends to identify specific individuals in it. The same principle applies to CCTV recordings, logs of persons entering car parks and records of meetings that do not identify individual speakers or attendees.
If personal data is being collected, then the next question is what the purpose of that collection is and whether it is necessary for the particular purposes for which it is being collected. If it is, then a PICS must be prepared and the consent of the data subject obtained. The PICS must set out the purposes for which the personal data is being collected, the classes of person to whom the data may be transferred and any other information required by the PDPO. It must also inform the data subject of his rights in respect of the personal data that is being collected.
This PICS obligation is a core element of a data user’s obligations under the PDPO. Once a PICS has been provided to the data subject, then it must be kept up-to-date as circumstances change. Consequently, it is important for any business that is considering international data transfer to ensure that its PICS complies with the requirements of the PDPO.
Similarly, once the consent of the data subject has been obtained in respect of the collection of his personal data, then it must be valid as to any proposed future transfer of that personal data. The data subject must have the right to withdraw his consent in writing if he wishes to do so. This requirement to obtain the voluntary and express consent of the data subject is one of the core elements in the PDPO.
Another key element in the PDPO is that a data user must not transfer personal data out of Hong Kong without compliance with certain conditions. This requirement is designed to prevent personal data from being transferred abroad to a jurisdiction where there is not adequate protection for the data subjects’ privacy.
It is essential that any business planning to transfer personal data abroad ensures that it complies with the PDPO and, where applicable, any additional requirements of the destination country or territory. This should be done before the transfer is made. It is also advisable for the business to carry out a transfer impact assessment as described above.
The position of Hong Kong in relation to the implementation of adequacy and equivalent regimes for cross-border data transfers may seem out of step with international trends. However, it is important to remember that the PDPO requires data users to fulfil significant and onerous statutory obligations in respect of any international data transfer. This can be achieved through contractual arrangements with data processors, either as standalone contracts or as schedules to the main commercial agreement. Ultimately, the form of these arrangements does not matter as much as their content and substance.