Personal Data Protection in Hong Kong

The Personal Data (Privacy) Ordinance (“PDPO”) defines “personal data” as information relating to an identified or identifiable individual. This definition is in line with the definition in other data protection laws such as the General Data Protection Regulation that applies to the European Economic Area (“GDPR”).

In Hong Kong, a person will only be considered to be a “data user” if he or she controls the collection, holding, processing or use of personal data. A data user’s jurisdiction under the PDPO will also depend on whether or not he has any operations that control such collection, holding, processing or use in or from Hong Kong.

Unlike some other data privacy regimes, the PDPO does not include a statutory restriction on the transfer of personal data outside Hong Kong. However, the PDPO does require a data user to provide certain information to a data subject on or before collecting his or her personal data and to use contractual or other means to ensure that personal data transferred to a data processor within or without Hong Kong is not kept for longer than necessary for the purposes of processing (DPP 2 and DPP 4).

A Hong Kong data importer is likely to need to agree to standard contractual clauses proposed by an EEA data exporter and to contribute to a transfer impact assessment in circumstances where the data importer processes personal data of data subjects in the EEA and transfers such data to Hong Kong (DPP 33). The PCPD has issued guidance to assist Hong Kong businesses with such matters.

There are a number of exemptions from the PDPO’s transfer and use limitations, including for law enforcement purposes. However, it is important for a data user to review the exceptions carefully and take steps to ensure that such exemptions do not permit a disproportionate amount of personal data to be retained or transferred than is necessary.

In addition, the PDPO requires a data user to protect personal data in his or her care or custody from unauthorised access, processing, erasure or loss (DPP 2 and DPP 5). The PDPO also provides that a data user is liable for breach of the PDPO by his or her agent or contractor.

In the event of a data breach, a data user will need to take reasonable and appropriate measures to remediate the breach (DPP 13). The PDPO does not set out any specific requirements for this, but it is expected that the data user will have policies in place to identify and rectify breaches as soon as they are discovered. In addition, the PDPO requires that a data user notify the Commissioner of the breach and the affected data subject(s) as soon as practicable. This is intended to encourage timely disclosure and to minimise the risk of harm or distress to data subjects. This is an important measure that is aimed at protecting personal data in Hong Kong. This will be particularly important if the data breach results in serious adverse consequences for those individuals or damages the reputation of the data user.