The Hong Kong Data Privacy Act (PDPO) and EU General Data Protection Regulation (GDPR) share similar principles when it comes to dealing with cross-border personal data transfers; however, there can be differences in interpretation. Padraig Walsh from Tanner De Witt, one of Hong Kong’s leading data privacy practices, guides businesses through key points they should keep in mind when conducting such transfers. This article from his practice helps businesses navigate these important points more easily.
Initial consideration should include whether or not the proposed transfer falls under PDPO. PDPO applies to “data users”, who control the collection, holding, processing or use of personal data in or from Hong Kong. The concept of “data user” encompasses any person responsible for collecting, holding, processing or using records that identify an individual.
Records may include information that pertains to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity. The PDPO identifies certain forms of personal data which fall within this definition, such as their name or HKID number if collected for identification or direct marketing purposes while informing and receiving voluntary consent from them beforehand.
Another critical consideration when proposing the transfer of personal data should be whether its proposed new use would require specific consent from individuals. This differs significantly between the Hong Kong Personal Data Protection Office and GDPR where explicit permission may be needed for any new or unanticipated uses for which personal data has been collected.
Data users wishing to transfer personal data must also comply with additional provisions in the PDPO when doing so, including providing a PICS or seeking voluntary and express consent before transmitting such data. PDPO also contains requirements imposed upon data users regarding beach notification, audit inspection reporting compliance support and co-operation requirements.
Although the PDPO provides for some flexibility to meet the needs of different industries, any business considering cross-border data transfers should consult their data privacy adviser before proceeding with such transfers. It is hoped that Hong Kong government will move toward creating a broader definition of personal data and further strengthening PDPO regulations to increase compliance measures for companies who process individuals’ information.