January 30, 2024

Digitalization and globalisation has made the collection, processing, holding and use of personal data an essential aspect of daily life for most. Data protection laws protect individuals with privacy rights while outlining specific obligations placed upon those processing data; Hong Kong has enacted this through the Personal Data (Protection) Ordinance (“PDPO”) with six data protection principles contained within it and also issued cross-border data transfer model contractual clauses to assist with meeting all requirements set out by both legislations.

As soon as someone becomes a data user, their duties become legal obligations that include adhering to six DPPs and complying with the Personal Data Protection Ordinance (PDPO). Furthermore, it imposes restrictions on how personal data can be used and disclosed; for instance combining an individual’s name and HKID number on staff cards could constitute personal data subject to protection under this act; it must not be publicly displayed together and made accessible to people not directly involved with the activity for which this data was gathered.

The PDPO defines “personal data” as any information about an identifiable living individual that can be directly or indirectly identified, which aligns with other legislative regimes such as China’s Personal Information Protection Law or Europe’s General Data Protection Regulation.

Hong Kong data importers who wish to comply with the standard contractual clauses proposed by European Economic Area data exporters under GDPR must agree to submit themselves and cooperate with any procedures designed to enforce compliance with these standard clauses. It is imperative for businesses that involve processing personal data of European residents that understand these requirements before entering into arrangements involving data processing activities in Europe.

Additionally, Hong Kong’s Personal Data Protection Office (PDPO) requires data importers to inform their data subjects of the purpose for which personal data will be transferred and obtain their consent prior to such transfers. This requirement mirrors that found under GDPR; however, its scope is narrower here in Hong Kong.

PDPO allows exemptions from its requirements for certain activities, including protecting Hong Kong in terms of national defense and international relations, crime prevention or detection, the assessment or collection of any tax or duty, journalism/news activities and life-threatening emergency situations. However, these exemptions do not extend to sharing data between parties for marketing or other commercial reasons, or processing personal data for research and development purposes.