Managing Personal Data in Hong Kong

If you’re in the business of managing large volumes of data, you know how much time it takes to keep up with changes. It’s even more difficult to maintain a coherent picture of data governance when working across multiple teams and geographies. That’s why it’s important to use tools like RACI (responsible, accountable, consulted, informed) to assign roles and responsibilities for data management projects.

A common assumption is that a data privacy law like the Hong Kong Personal Data Protection Ordinance (“PDPO”) only applies in relation to a company’s operations in Hong Kong. However, it is not so. The PDPO has extra-territorial application. This means that it applies to a data user who controls the collection, holding, processing or use of personal data in, or from, Hong Kong.

The PDPO provides a number of key protections. One is that a data user cannot transfer personal data to a person outside of the EEA unless the data subject consents to it (DPP 5). Another is that a data user must not disclose personal data to a third party without the prior permission of the data subject unless it is in connection with a service or activity for which the disclosure is necessary (DPP 4). Finally, a data user must take such steps as are reasonable in the circumstances to protect personal data being transferred from Hong Kong from unauthorised access, accidental or deliberate destruction, loss or alteration or from other forms of unlawful interference (DPP 6).

These rights are important. However, it is also crucial to remember that the PDPO does not provide comprehensive protections for all matters of data privacy. For example, it does not prohibit arbitrary interference with the private lives of individuals or attacks on their honour and reputation. That is why a complete and robust privacy program should be in place to cover all aspects of the business.

Data transfers are a frequent occurrence in the business world, and it’s essential to understand the data privacy regulation that is applied to them. Padraig Walsh from Tanner De Witt’s data privacy practice group discusses the key points to consider for any personal data transfer in or out of Hong Kong.