Recently, a spokesperson from the Privacy Commissioner for Personal Data (“PCPD”) issued an alert about an emerging problem: Hong Kong residents are being subjected to aggressive cross-border data collection practices due to close ties between Hong Kong and Mainland business partners which has led to an increase in cross-boundary personal data flows; previously however, laws provided limited protection. But this may change soon.
The Personal Data Protection Order (PDPO) establishes rights and obligations for data subjects as well as regulates collection, processing, holding and use of personal data using six data protection principles. First enacted in 1996 with significant amendments made in 2012 and 2021, this PDPO stands out among Asian legislation as an advanced approach that could significantly impact businesses.
However, the PDPO lacks any explicit provisions granting extraterritorial application; therefore it only applies to persons controlling the collection, holding, processing or use of personal data within Hong Kong or from there. Personal data encompasses any information identifying an identifiable natural person that can be used to identify them. This includes written or electronic forms of identification of living individuals. Personal data includes information regarding an individual’s racial or ethnic origin, political beliefs, religion, sexual orientation, health (genetic, biometric or mental), property holdings, financial standing or criminal history – such as information contained on staff cards that display name and HKID numbers which would fall within the ambit of the PDPO.
Prior and after an individual’s data collection, it is vitally important that its requirements are fulfilled according to PDPO regulations. Key among them include collecting only personal data necessary for fulfilling specific purposes as part of an appropriate collection plan that does not exceed that purpose and ensures adequate yet sufficient amounts for that goal.
Whenever the purpose for which personal data is collected changes, it is crucial that its continued processing be legal under PDPO. If its new purpose does not fall under one of the existing legal bases, an assessment of risk should be conducted and any potential harm must be carefully evaluated; this evaluation might prompt additional measures to be implemented, such as technical or contractual measures.
Under PDPO transfer impact assessment rules, if it is discovered that the level of protection in a foreign jurisdiction falls short of Hong Kong standards, either suspend or implement supplementary measures to meet Hong Kong standards – such as encryption or anonymisation technologies and contractual provisions regarding audit, inspection, reporting, beach notification and compliance support and co-operation – however this requirement is much less onerous than GDPR.