For years, increased cross-border flow of personal data was seen as the lifeblood of Hong Kong’s economy. Facilitating that flow was a core value of the PDPO. Yet, increased globalization and data protection law reforms have led to a reconsideration of the place of Section 33 in Hong Kong’s legal landscape. It looks increasingly likely that the implementation of section 33 may never come to pass in Hong Kong.
Currently, the PDPO only contains a limited and very specific exemption from use limitations and access requirements: information about a natural person that may be directly or indirectly identified, whether in electronic form or not, is personal data. This includes: (i) information about a living individual from which it is practicable to identify the individual; or (ii) any information that is likely to lead to the identification of an individual, including an online identifier.
Further, a data user may not process personal data for a purpose other than that for which it was collected unless it is authorised to do so by the PDPO or the prescribed consent of the individual has been obtained. This is a markedly less onerous requirement than in GDPR.
In addition, a data user must ensure that any personal data that it transfers to a third party is protected by means of standard contractual clauses. These include: (i) a requirement that the transferred personal data not be used in any way that is inconsistent with the original purposes for which the personal data was collected; and (ii) a prohibition on the transfer of any personal data to any country that does not have laws that are comparable to those of Hong Kong.
It is also important to note that a data importer must undertake and document a transfer impact assessment if it imports personal data of EEA persons from a data exporter in the EEA or from a jurisdiction that is not a member state of the European Union. This is a mandatory requirement under the GDPR, though not under the PDPO.
There are a growing number of circumstances in which a Hong Kong business may be required to conduct and contribute to a transfer impact assessment by virtue of its being a data importer of personal data from the EEA. Such assessments may impact upon the ability of a business to conduct its operations in the EEA.
It is essential that business leaders review these changes and determine their impact on the businesses’ current and future operations. Those who do not take appropriate steps now may find themselves facing significant penalties under GDPR and other global privacy laws, and could be hampered in their ability to operate effectively. Those that do will be in a much stronger position to continue to serve their customers and employees while maintaining compliance with global privacy law. This will help to ensure that a business’s reputation is not damaged by unintended or unexpected consequences of new international data protection requirements.