Transfer Impact Assessments and Personal Data Protection Acts

As cross-border data flow becomes an ever more integral part of business and daily life, a growing number of businesses will find that they are required to undertake a transfer impact assessment under the Hong Kong Personal Data Protection Act (“PDPO”). Similarly, there will be circumstances where a Hong Kong data user’s obligations to protect their customers’ personal information will require them to comply with laws in jurisdictions other than their own. As such, it is vital that both businesses and their legal advisors are aware of these issues and can effectively navigate the requirements of their governing laws.

While modernisation of Hong Kong’s data privacy laws has been mooted, until this happens businesses must ensure they understand their existing obligations. One area that has received particular attention in recent times is the treatment of IP addresses, which are considered to be personal data under both European and Hong Kong law. In addition, there has been a growing interest in the way that telecommunications providers in Hong Kong treat their customer’s data. This is the driving force behind the Access My Info: Hong Kong (‘AMI:HK’) project, a joint initiative by members of InMediaHK, Keyboard Frontline, Open Effect and Citizen Lab to see whether there is consistency in the way that telecommunications service providers in Hong Kong handle data access requests made by their customers.

Despite the increasing focus on IP address processing, it is important to remember that under PDPO, the definition of “personal data” includes any information that can be used to identify an individual. This includes not only a person’s name, ID number, location data or online identifiers, but also any other information that can be used to determine the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. This includes location and geo-temporal data, as well as health and medical records.

The PDPO also requires that a data user must fulfil certain obligations in relation to collection and use of personal data, such as giving explicit notice to data subjects of the purposes for which the data is collected, the classes of persons to whom the data may be transferred and how the data will be used (DPP1 and DPP3). This must be accompanied by a full statement of the rights of data subjects under PDPO (DPP4).

Finally, a data user must also keep records of all processing of personal data for as long as the data is retained (DPP5). If any such record is accessed, lost or amended, the data user must take steps to recover it (DPP6).

Unlike some other jurisdictions, there is no statutory restriction on the transfer of personal data outside of Hong Kong. However, a wide range of protections are available to safeguard against the risks associated with this, including: