Modernisation of Hong Kong’s data protection laws is being mooted, and it may soon be time for businesses to consider upgrading their compliance measures. Until then, it is essential that they understand their current obligations under the PDPO, and how these might differ to their duties in other jurisdictions.

A common concern of the public is that personal information can be used for unscrupulous marketing purposes, especially when it is gathered to target specific individuals. To address this, Hong Kong’s PDPO requires that data collection occur for lawful and fair purposes, and that an individual’s consent must be obtained before using personal data for any new purpose. The PDPO defines “prescribed consent” as an individual’s voluntarily expressed explicit assent, and it must be freely given, informed, specific and unambiguous. It is also important to note that a person’s consent cannot be withdrawn without giving notification.

The PDPO defines personal data as any information that can identify a natural person, or that is capable of doing so. This can include the person’s name, identification number or other means of identifying them, whether in written or electronic form; and other factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity. As a result, many organisations are not sure what types of data fall within this definition. A recent discussion paper has proposed expanding the definition of personal data to include an individual’s online activities and social media posts, which would bring a great deal more information under the scope of the PDPO.

As in other jurisdictions, the PDPO governs any organisation that collects, processes, holds or uses personal data. This includes both private and public sector organisations, as well as government departments and agencies. As such, the PDPO is likely to impact most industries in Hong Kong, including the financial services industry, which is particularly active in cross-border business activities.

Data users who intend to transfer personal data outside Hong Kong must fulfil a range of onerous statutory obligations, including complying with the six DPPs set out in the PDPO. To this end, the PCPD has produced recommended model contractual clauses to facilitate these transfers. These can be incorporated into separate agreements or as contractual provisions in the main commercial agreement between the data user and the data processor.

It should be noted that Hong Kong does not contain a statutory restriction on the transfer of personal data abroad, as there is in the EU. However, the PDPO does contain detailed and stringent enforcement mechanisms, including fines for non-compliance that can range from the equivalent of a few thousand dollars to HK$10 million or even imprisonment. It is therefore vital that businesses ensure that they are fully compliant with the PDPO in order to avoid such penalties. As a further note, data users must also take steps to prevent personal data transferred to a third party in a country other than Hong Kong from being kept for longer than necessary for data processing (DPP 2(3)). This can be achieved by implementing contractual clauses.