Data hk is an initiative to advance best practices and ethical standards in data protection. Businesses will benefit from adhering to both their statutory obligations as well as internal commitments regarding data transparency and best practice. Furthermore, this initiative will assist companies in complying with international privacy laws such as those found within the European Data Protection Board (EDPB).

The PDPO establishes data subject rights, controller obligations, and regulates collection, processing, holding and use of personal data through six principles of data protection. It went into force on 20 December 1996 and has been amended twice – first in 2012 when regulations surrounding direct marketing use of personal data were added and again in 2021 when disclosure without consent (doxxing) became an issue.

When Hong Kong businesses export personal data overseas, the PDPO requires them to conduct a transfer impact assessment. This analysis examines levels of protection in Hong Kong as well as any related data subjects in order to ensure that any proposed transfer complies with data protection law in the destination jurisdiction. Typically, assessments include discussion regarding why personal data is being transferred; evaluation if it constitutes new purposes; and requirement of explicit informed consent of each data subject before making its transfer decision.

Under PDPO, transfer impact assessments are not mandatory, yet there are an increasing number of situations in which such assessments must be performed under local laws. Data exporters in Europe typically conduct these assessments, while companies increasingly find themselves being asked to carry out such assessments when moving personal data cross-border from Hong Kong into other jurisdictions.

HK government’s move towards adopting a stricter definition of personal data could have far-reaching repercussions for businesses that use data-related technologies. Compliance measures could increase, as they would need to consider additional statutory obligations such as the European Deposit Insurance and Guarantee Bank (EDPB)’s six step framework for conducting transfer impact analyses. This would require them to notify data subjects of any potential transfers, review their PICS system and determine whether additional consents may be required before implementing any policy or practices regarding data collection and processing. It would therefore be prudent to closely follow developments in this area and keep an eye out for any possible restrictions to data export between nations, as this may impact trade and investment significantly in the region. It is therefore vital that we closely follow developments here.