Personal Data Protection in Hong Kong

Hong Kong (abbreviated as “HK”), formerly a British crown colony and currently an autonomous special administrative region of China, serves as an international business centre and hub for trading, financial services and port services in Asia. Its name reflects this fact; indeed the Chinese character for “Hong Kong” () has been adopted as its official emblem.

Hong Kong’s Personal Data Protection Ordinance (“PDPO”) governs when individuals collect or use personal data in Hong Kong. This legislation sets forth their responsibilities, with DPP1 outlining purpose and collection requirements and DPP3 outlining use. Most obligations related to collecting personal data in Hong Kong are fulfilled by providing data subjects with a personal information collection statement (“PICS”); however there may be occasions where data transfers also trigger obligations under this Act.

The PDPO defines personal data to include any information regarding an identifiable or identifiable individual, which has not changed since its first implementation in 1996, but remains consistent with interpretations of personal data in other regulatory regimes.

Therefore, the PDPO requires any organization which transfers personal data internationally to put in place arrangements which ensure it will only be used for its original purpose and not further used or shared for any other reason. This is designed to prevent misuse of personal data and safeguard individuals’ rights to privacy.

To fulfil this obligation, the PDPO mandates data users to clearly indicate who their transferees are within their PICSs. This ensures data subjects understand exactly how their personal information will be shared, giving informed consent for its transfer. Furthermore, according to PDPO regulations, data transferee identities should also be disclosed to data subjects prior to data transfers occurring.

Data users seeking to meet this obligation should consider their current business practices and contracts to ensure that any information transferred does not get used for other purposes than intended. Furthermore, the PDPO requires data users to adopt contractual or other means to ensure personal data they transfer is not kept longer than necessary; recipients must then take measures to delete it when its original purpose has been accomplished.

Although the PDPO contains specific provisions related to data transfer, its scope does not encompass all aspects of overseas data flows. This is because its jurisdiction only extends to persons whose operations control collection, holding, processing or use of personal data in Hong Kong – this may not always be easy as many anti-money laundering (“AML”) regimes are extraterritorial and still apply even when an entity does not operate out of Hong Kong; here AMLO requirements and the AML Guideline would likely govern AML related data flows.