Personal Data Protection in Hong Kong

As increased cross-border data flow became the lifeblood of Hong Kong’s economy, there was a move away from implementation of section 33 as a clear policy objective, and indeed to a certain indifference to whether it should be implemented at all. This was largely due to business concerns over the perceived adverse impact on operations, difficulties in achieving compliance and the costs of complying. This stance was exacerbated by the fact that there seemed to be no indication that cross-border data transfers were undermining personal data privacy in Hong Kong.

A key factor was the view that a data exporter’s obligation to undertake an assessment of a foreign jurisdiction’s law and practice in respect of the protection of personal data was unnecessarily burdensome and disproportionate, particularly given the fact that there is already a general requirement under the PDPO for the data exporter to notify the data subject of any planned transfer abroad, and to provide the data subject with the opportunity to object.

In addition to the statutory requirements set out in the PDPO, it is common for the contractual arrangements between the data exporter and the data importer to include the requirement that the data exporter take all reasonable steps to ensure that the transfered data will be adequately protected in the foreign jurisdiction (and, where possible, that the data importer have sufficient resources to meet this requirement). In some cases, these provisions are supplemented by technical measures such as encryption, anonymisation or pseudonymisation and by additional contractual provisions on audit, inspection and reporting, beach notification, and compliance support and co-operation.

The PDPO defines “personal data” as any information that relates to an individual who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, address, telephone number, or email address, and which is recorded in any form or in any way processed. In practice, most organisations only consider that they are processing personal data when it is recorded and stored in a system for which they are responsible. However, the PDPO also requires that data users provide data subjects with a personal information collection statement (PICS) before collecting their personal data and specify the classes of persons to whom the data may be transferred, and that they obtain the data subject’s voluntary consent to any change in purpose for which the personal data is collected.

The data hk is a 3G 4G prepaid SIM card that offers some of the most affordable data packages in its lineup. It is primarily aimed at domestic helpers and can be purchased at selected Indonesian grocery stores. It costs HK$ 38 for the SIM with the same amount of credit loaded, and is valid for 90 days from the date of activation. You can activate it by dialing *101*420#. There is also a cheaper HK$ 28 package that only has 5 GB available, and is valid for 30 days from the date of activation.