Data hk is a database of reports, statistics and forecasts on industries, economies and consumers worldwide. It is a public resource and is free to use.

There is no statutory restriction in the PDPO that prohibits the transfer of personal data outside Hong Kong, but this does not mean that there are no protections available. Section 33 of the PDPO is intended to ensure that, wherever a person’s personal data is transferred, it will be subject to a comparable level of protection as would be enjoyed by that personal data in Hong Kong. This is achieved by requiring that a “data user” who wishes to export personal data out of Hong Kong carry out a transfer impact assessment and agree to standard contractual clauses.

A transfer impact assessment is a review of the laws, regulations and practices in a jurisdiction that will be the destination for a personal data transfer. It is an important exercise in identifying and documenting the steps that will need to be taken by a data exporter in order to bring the foreign jurisdiction’s law, regulation or practice up to Hong Kong standards. These steps might include technical measures (such as encryption or anonymisation) and contractual arrangements that impose obligations on audit, inspection and reporting, compliance support and beach notification.

Despite the fact that there is no statutory requirement to perform a transfer impact assessment, it is becoming increasingly common for businesses to do so. This is particularly so where they are importing personal data of persons who live in the European Union (“EEA”) from a data exporter in that jurisdiction, or where they have agreed to the new standard contractual clauses with a data importer in the EEA.

However, it is important to note that there is no EEA-style ‘adequacy’ regime in Hong Kong. This may seem surprising, given that many other jurisdictions have one, but it is based on the understanding that the “one country, two systems” principle of Mainland China means that, for legal purposes, it is not an integral part of Hong Kong. As a result, the PDPO only applies to personal data that is processed in, or collected from, Hong Kong and does not extend to a person who is in Mainland China at any time.

It should also be remembered that the definition of personal data in the PDPO only relates to identified persons, which is narrower than the approach adopted in other data privacy regimes such as the PIPL and GDPR. This makes it even more important for data users to understand and comply with the PDPO requirements in respect of transfers abroad. A failure to do so could result in a breach of the PDPO and a possible penalty under section 31 of the PDPO. For this reason, it is always worthwhile to take advice before a transfer is considered. The PCPD’s guidance on cross-border data transfer is available here. Its publication is timely, given that the volume of personal data transferred between Hong Kong and Mainland China will increase significantly with the further development of business and social life within the “one country, two systems” framework.