Personal Data Transfers Between Hong Kong and a Foreign JurisdictionPersonal Data Transfers Between Hong Kong and a Foreign Jurisdiction
Once a person collects personal data, they become known as “data users”, incurring numerous legal obligations under the PDPO. This includes giving a PICS (personal information collection statement) prior to gathering personal information from data subjects, and obtaining their voluntary and explicit consent before sharing or using that data for purposes other than its original intended use (ie not listed on PICS).
Additionally, they must comply with the six Data Privacy Principles that form core data obligations under privacy law in Hong Kong. One such principle entails only providing personal data to data users who abide by DPPs or a “third country” with an adequate data transfer agreement with Hong Kong; these obligations apply no matter whether the transfer takes place within or outside Hong Kong.
But despite these legal provisions, Hong Kong’s Personal Data Protection Ordinance does not impose any statutory restriction on the transfer of personal data outside its borders – something which seems at odds with what has been adopted in other jurisdictions that have adopted an adequate or equivalent regime for cross-border data transfers. Perhaps Hong Kong’s approach can be explained by considering mainland China a separate legal jurisdiction under “one country, two systems” principle. Regardless, section 33 could never come into force here in Hong Kong.
Tanner De Witt’s Privacy Team provides guidance for clients through any issues related to personal data transfers between entities in Hong Kong and those located outside. They assist clients in understanding any questions that arise with this regard and guide them in terms of applying Section 33 when conducting such transfers.
First and foremost, it is essential to recognize that the definition of personal data in the PDPO is extremely expansive, including any information pertaining to an identifiable individual. This definition aligns with that found in other legislative regimes like mainland China’s Personal Information Protection Act or Europe’s General Data Protection Regulation.