When the Hong Kong Personal Data Protection Policy (“PDPO”) was introduced in 1996 it established a range of statutory obligations for anyone who collects, holds, processes or uses personal data. These are collectively known as the six Data Protection Principles (“DPPs”). One of these DPPs, DPP1, requires data users to expressly inform data subjects on or before collection of personal data of the purposes for which it will be used and the classes of persons to whom it may be transferred. The PCPD has also made clear that transferring personal data is considered use, and therefore must comply with the DPPs.
As the PDPO evolved, it was clear that a fundamental business view was emerging that increased cross-border data flow is an essential attribute of Hong Kong’s success and should not be curtailed. Furthermore, there was a strong belief that compliance with the PDPO would add to operational costs and create complexity. This led to the decision in 2020 not to implement section 33, despite a recognition that it may be necessary for future data protection law reform.
However, there are still concerns that businesses have not taken sufficient action to ensure they are compliant with the PDPO. This is particularly true for data transfers outside Hong Kong.
To comply with the PDPO, a DPIA needs to be conducted for each processing activity. This involves identifying all the personal data that is collected, stored and processed within an organization. It also includes identifying where this data is transferred, and why. This process helps to identify potential privacy risks and develop appropriate measures to mitigate these risks.
The PDPO defines “personal data” as information that can be directly linked back to an identifiable individual. This is a more narrow definition than in many other legal regimes, such as the personal data protection law of mainland China and the GDPR of the European Union, where it refers to any information that can be used to identify an individual. In addition, the PDPO stipulates that personal data may only be collected for a purpose that is directly related to a function or activity of the data user and that it is adequate but not excessive in relation to that purpose.
A DPIA is a key tool for helping organizations to understand and comply with the PDPO, but it is only part of the picture. Another important aspect is understanding and implementing data security best practices. This involves a combination of technical and organizational actions that help to keep data secure, including regular review and updating of policies and procedures, and robust training for staff.
Whether or not the implementation of section 33 changes in the future, it is imperative that businesses continue to take action to protect their Hong Kong data. This means making sure they are up to date on the PDPO and that they have effective processes in place to deal with any incidents that might arise. It also means ensuring that they have in place appropriate contractual arrangements for transfer of personal data outside Hong Kong.