Data Hk and the PDPO

As the global economy becomes increasingly digitised, the volume of cross-border data transfers has increased significantly. Businesses must be able to transfer personal data across geographical boundaries without compromising the integrity and security of such data. Consequently, data hk has emerged as an important issue for companies operating in the Asia-Pacific region.

There are numerous regulatory frameworks around the world which impose compliance obligations on data users in respect of their activities involving personal data. One of these is the Hong Kong Privacy Commissioner’s Office (PCPD) PDPO and its Data Protection Principles (DPPs). Amongst other things, the PDPO requires data users to fulfil certain obligations when transferring personal data abroad. These are often in the form of contractual provisions. This can be achieved through either separate agreements, or as contractual arrangements within the main commercial agreement.

The PCPD has published two sets of recommended model contractual clauses to cater for the most common scenarios – that is, the transfer of personal data between an entity owned and controlled by a Hong Kong data user; and the transfer of personal data between two entities both of which are outside Hong Kong when the latter are both controllers under the PDPO. These are often referred to as “standard contractual clauses”.

These standard clauses impose a number of obligations on the data exporter relating to its PICS, consent and other requirements. The most important requirement is that the data exporter must verify that the lawful basis for the transfer of the personal data is as contemplated in its PICS. This is a significant obligation, and may involve reviewing the PICS to identify any aspects of the processing which have not been notified.

In addition, the transferring entity must confirm that it will not use the transferred personal data in respect of any new purposes which were not contemplated in its PICS unless the voluntary and express consent of the data subject is obtained. The transferring entity must also agree that the transferred personal data is not held in a country where the laws do not provide adequate protection for personal data. The requirements are similar to those imposed by GDPR.

One of the major differences between PDPO and GDPR is that in the former, the concept of personal data is narrower than in the latter. This is a consequence of the fact that the definition in the PDPO does not include any reference to the notion of an identifiable natural person, unlike the GDPR which refers to a ‘natural person who can be identified, directly or indirectly, by information alone or in combination with other data which is likely to be recorded’.

There has been some discussion about whether the definition of personal data in the PDPO should be changed to reflect this. However, such a change is unlikely to come about any time soon. Indeed, with the increasing resistance to implementation of section 33, it seems highly likely that it will never enter into force at all.