Personal data transfers have become more frequent with cross-border business transactions and it is crucial that individuals understand how data transfer regulations impact them in order to reduce risks and ensure efficient compliance. Padraig Walsh from Tanner De Witt’s Data Privacy practice group offers this article which highlights key points when considering sending personal information abroad.
As the starting point, determine whether the data in question qualifies as “personal data” under Hong Kong law. This definition, similar to other legislative regimes such as mainland China’s Personal Data Protection Ordinance and Europe’s GDPR, seeks to capture information pertaining to an identifiable human person. It covers many categories such as name; identification number; location data; factors that identify physical, physiological, genetic, mental economic cultural social identity of an individual as well as employer and employee records.
If the data in question falls into this category, certain additional obligations arise. One such requirement is informing data subjects of its intended uses and classes of recipients prior to collection of their personal information; often this requirement can be fulfilled through providing a Personal Information Collection Statement (PICS).
PICS must also specify that data users will not use personal data for direct marketing without first obtaining consent from data subjects, similar to how required under the PDPO. Failure to comply with these requirements constitutes a criminal offence punishable by fines of up to HK$500,000 and imprisonment of up to three years.
Last but not least, data exporters must determine if their assessment of laws and practices in a foreign jurisdiction reveals that its level of data protection falls short of Hong Kong standards. If this occurs, additional steps must be taken such as encryption or pseudonymisation as well as contractual provisions requiring audit, inspection and reporting as well as beach notification with compliance support and co-operation for their data to be brought up to Hong Kong standards.
As these issues demonstrate, the processing of personal data in Hong Kong and other jurisdictions is complex. Therefore, businesses must ensure they understand the legal basis for any proposed personal data transfer as well as extraterritorial application of PDPO rules and their implementation rules.