Personal Data Protection Laws in Hong Kong

Gambling Blog Dec 11, 2024

A major initiative is underway to modernise Hong Kong’s data protection laws. The reforms are intended to provide enhanced protection for individuals and increased compliance measures for businesses that handle personal data. Until the changes take effect, however, it’s important for businesses that collect or use personal data in Hong Kong to fully understand their duties under the current legislation and how they might differ from those of other jurisdictions. Padraig Walsh of Tanner De Witt offers an overview.

The PDPO defines personal data as “information relating to an identified or identifiable individual” and sets out eight data protection principles (“DPPs”) that must be complied with by all organizations handling personal data. These include, among other things, the requirement that a purpose be stated for collecting personal data and that collection be fair and reasonable. The DPPs also require that an organization keep personal data only for as long as necessary and that it be secured at all times. The DPPs further require that an organization implement appropriate technical and organizational measures to protect personal data from accidental loss or destruction, as well as from unauthorized access, disclosure, modification or deletion. Finally, the DPPs require that organizations notify individuals of any data breaches that occur and that individuals be able to exercise their right to access and request correction of personal data.

It should be noted that the PDPO only applies to those who control the collection, holding, processing or use of personal data within or from Hong Kong. This includes foreign-owned entities that have operations in Hong Kong that are controlled by a person outside of the territory, for example when such foreign-owned entities offer goods or services to people in the EEA or monitor their behaviour on the internet.

Data users must fulfil a number of obligations in relation to the collection and use of personal data, including the obligation to expressly inform an individual on or before the collection of his personal data of the purposes for which it is being collected and of the classes of persons to whom his personal data may be transferred. Transfer is a form of use and the PCPD explicitly states that data users should only transfer personal data to countries that have laws and practices that reflect each of the four essential guarantees of the DPPs.

This obligation arises when a data user transfers personal data to another data user in a country that is not subject to the jurisdiction of, and does not have adequate protections comparable to those of, Hong Kong. The PCPD has published recommended model contractual clauses for this scenario. These can be inserted into separate agreements, schedules to main commercial arrangements or as contractual provisions within the main agreement. The model clauses require the data importer to undertake not to carry out activities which would involve an unreasonable burden on the data exporter and to comply with any procedures undertaken by the data exporter to enforce the standard contractual clauses.