The Personal Data (Privacy) Ordinance has a number of important requirements for businesses in Hong Kong. The PDPO requires organizations to map all personal data they collect, document the purposes for which it is used and obtain the express consent of individuals before it is processed. It also prohibits the use of personal data for direct marketing. If a business fails to comply with the PDPO, it can face fines of up to HK$ 1 million and imprisonment.

The PDPO defines personal data as information relating to an identifiable individual. The definition is broadly similar to that used in many other data protection regimes, including the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area.

During the pre-handover era, increased cross-border data flow was seen as an essential part of Hong Kong’s economic success. As a result, the free flow of data was viewed as an irreplaceable attribute of Hong Kong’s status as a Special Administrative Region under the “one country, two systems” principle with mainland China. As a consequence, the requirement in section 33 to explicitly inform the data subject on or before collection of personal data that the personal data will be transferred and the classes of persons to whom it may be disclosed was largely ignored in practice.

The PCPD is now seeking to refocus attention on this important aspect of the PDPO, partly in response to the rising interest in international regulatory frameworks addressing cross-border data flow. This will include an effort to identify the best way to implement the PDPO’s provisions on transfer of personal data.

As a starting point, the PCPD has reviewed the latest global regulatory developments and communicated with overseas regulators on ways forward that best suit the local circumstances of Hong Kong. This will help ensure that the PDPO is effectively implemented as soon as possible, particularly given the rapid development of data privacy laws in mainland China, which will increase the volume of data transfer between Hong Kong and mainland China.

One issue to be addressed is whether the PDPO’s scope will be expanded to cover the transfer of personal data between data users in Hong Kong and those in mainland China. The PDPO only applies to data users who have operations controlled in, or from, Hong Kong. In this respect, it differs from several data privacy regimes that contain express provisions conferring extra-territorial application.

Another issue is how to deal with situations where a Hong Kong data user agrees to the standard contractual clauses proposed by an EEA data exporter. These clauses require the data importer to agree to submit itself to the jurisdiction of, and co-operate with, the data exporter’s supervisory authority for any procedures aimed at ensuring compliance with those clauses.

To minimize the risks of non-compliance with the PDPO, it’s crucial for businesses to understand the requirements and prepare accordingly. This includes undertaking a data mapping exercise, conducting a DPIA, training staff who handle personal data and, where necessary, establishing an internal data protection office. Securiti’s Data Command Center enables companies to manage their data and satisfy the requirements of the PDPO.