Data.hk is the website of Hong Kong’s Office of the Privacy Commissioner for Personal Data (OPCPD). Here you will find information regarding their stance and policy developments as well as helpful guidance and resources available through them.
The PCPD strives to promote voluntary compliance with its onerous statutory obligations regarding cross-border data transfers (under Section 33 of PDPO). As part of its effort, they have published extensive guidance and model clauses for use when contracting for such transfers – these may appear as separate contractual documents, schedules to main commercial agreements or additional clauses within an overall commercial arrangement.
An important point about data transfers is that they trigger various legal obligations imposed upon data users who act as controllers of personal data being transferred, including an obligation to notify data subjects directly of how and why their personal data will be used and to whom it will be transferred; also required is taking contractual or other means to prevent their personal data being passed onto third parties outside its original purpose and used for reasons not listed within its original notification.
Data users must conduct an evaluation of the suitability of foreign jurisdiction laws and practices for protecting personal data, and if their assessment identifies inadequacies in protection, data exporters should implement additional safeguards in accordance with Hong Kong standards – these might include technical solutions like encryption, anonymisation or pseudonymisation as well as contractual ones like mandatory audit, inspection reporting, beach notification notification support co-operation agreements.
Establishing an adequate regime is a significant and complex undertaking, and PCPD has determined that creating one would require too much time and resources. Instead, they continue engaging with international privacy authorities as well as regional and global discussions pertaining to privacy matters by joining organizations like Asian Privacy Association or participating in forums hosted by Asia Pacific Privacy Authorities.
Noteworthy is the fact that the definition of personal data set out by the PDPO aligns closely with definitions found under other regulatory regimes such as mainland China’s Personal Information Protection Law and EU’s General Data Protection Regulation. Hong Kong government officials are considering adopting a more expansive definition of personal data that would more closely align our law with international standards. PCPD plans on publishing the new definition later this year. Information that identifies an individual directly or indirectly will likely fall within this scope; this would therefore exclude things such as CCTV recordings that feature individuals directly, logs of people entering car parks and records of meetings that do not specifically identify specific attendees.