Data Protection Laws in Hong Kong and China

Data hk is an online portal for a wide range of public sector information in Hong Kong, enabling individuals to download geospatial data for commercial app development or academic study freely. The data is collected under the authority of various government departments and agencies. The underlying principle of data hk is that everyone has the right to privacy. This includes the right not to be subjected to arbitrary interference with their private life, family, home and correspondence or to unlawful attacks on their honour and reputation. However, the law does not protect everything. For instance, the law does not prohibit taking photographs at a concert or in a public place, but only those that identify individuals can be considered to be personal data.

Section 33 of the PDPO prevents the transfer of personal data outside Hong Kong unless certain conditions are met. This is in order to ensure that the level of protection for personal data transferred abroad does not fall below that provided for by the PDPO.

The requirements that must be fulfilled by a data user before the transfer of personal data are defined in DPP 1 (Purpose and collection) and DPP 3 (Use of personal data). In principle, these obligations include expressly informing a data subject on or before collecting his personal data of the purposes for which the data will be used, the classes of persons to whom the personal data may be transferred and obtaining his prescribed consent to such transfer. In practice, these obligations are normally fulfilled by providing a PICS to the data subject on or before the original collection of his personal data.

A further requirement is that, if it is necessary to transfer personal data abroad, the data exporter must verify that the foreign jurisdiction’s laws and practices provide an adequate level of protection for the personal data in question. This is achieved by conducting a transfer impact assessment (TIA). In the majority of cases, this requires the involvement of the data exporter’s local supervisory authority.

An adverse finding in a transfer impact assessment will require the data exporter to either suspend the transfer or implement appropriate supplementary measures. Supplementary measures might involve technical or contractual arrangements, such as the use of encryption, anonymisation or pseudonymisation and split processing.

Given the increasing volume of cross-border data flow with mainland China under the “one country, two systems” arrangement, a more efficient and reliable legal basis for transfer is urgently needed. The status quo of requiring an adequacy or equivalent regime is unlikely to suffice in the long run. With the rise of the global economy and digitalisation of businesses, it is essential to have a robust data governance program in place. This can be realised by starting with a clear vision and building an actionable business case.