Hong Kong is constructing a new data infrastructure known as CDI, which will connect banks and sources of commercial data in a more secure, efficient, and scalable way. It will replace multiple one-to-one connections between banks and data providers, enabling the exchange of more financial information and the creation of more innovative fintech products in the banking sector. The initiative is part of the HKMA’s “Fintech 2025” strategy to improve Hong Kong’s data infrastructure and enhance financial inclusion.
The Hong Kong Personal Data Protection Ordinance (“PDPO”) requires data users to fulfil certain obligations in respect of the collection and use of personal data. These obligations are primarily defined by DPP1 (Purpose and collection) and DPP3 (Use of personal data). For example, a data user must provide a data subject with a personal information collection statement before collecting his personal data. The data subject must also be notified of the classes of persons to whom his personal data may be transferred.
When it comes to cross-border data transfers, it is important to consider whether the PDPO applies. The jurisdictional scope of the PDPO is determined by reference to whether the data user has operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong.
It is also important to determine whether the personal data being transferred falls within the definition of personal data. The PDPO defines “personal data” as any information that can identify an individual, including his name; his identification number or other factors that can be used to uniquely identify him; or his location; online identifiers; and the physical, physiological, genetic, mental, economic, cultural or social identity of that person. It is important to note that the definition of personal data in the PDPO has not been updated since its enactment in 1996 and therefore it may differ from the definitions in other jurisdictions.
If the data transfer is not covered by the PDPO, it is necessary to consider what supplementary measures are required to bring the level of protection up to Hong Kong standards. These could include technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions imposing obligations on audit and inspection, beach notification, compliance support and co-operation. In addition, the data exporter should make every effort to obtain consent from the data subject before transferring his personal data. This will not only ensure that the data transfer is lawful but also demonstrate that he has considered the impact on the privacy of the individual and complied with his legal obligations. This will be important in the event that the data transfer is challenged in court.