Hong Kong has a well-established data protection regime that includes some of the most rigorous requirements for businesses operating within Asia. While the regime does not contain a statutory restriction on transferring personal data outside the territory, it does include robust and onerous obligations for businesses that have significant and sensitive processing of personal data. These obligations are set out in the Data Protection Principles (DPP) of the Personal Data Protection Ordinance (“PDPO”) and the recommended model contractual clauses.

The first obligation is a requirement to expressly inform a data subject, on or before the collection of his personal data, of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. This obligation applies regardless of whether the data user processes the data in Hong Kong or outside it. Moreover, the PDPO requires that the consent of the data subject be obtained for transfer of his personal data, unless an exception applies. These exceptions are broadly based on the purpose of the original collection and include:

In addition, there is a requirement to provide a copy of the personal data to the data subject on request. The PDPO defines “personal data” as information that can identify a living individual, or from which it is practicable to identify an individual. The term also includes information about legal entities such as companies and trusts.

Lastly, there is an obligation for the data user to comply with any applicable law in the jurisdiction of the receiving entity in relation to the use and handling of the personal data. In the absence of a specific law, this will usually mean compliance with the local data protection laws in force.

While there is no statutory restriction on the transfer of personal data from Hong Kong, the PDPO does require that data users consider carrying out a transfer impact assessment. This is a formal exercise to determine whether the laws and practices of a foreign jurisdiction are adequate to protect the personal data of the data subjects. If the assessment is adverse, then the data exporter is required to suspend the transfer or to implement adequate supplementary measures. Supplementary measures can take a number of forms, including technical measures such as encryption and pseudonymisation, and contractual measures such as additional provisions regarding audit, inspection and reporting, beach notification and compliance support and co-operation. Alternatively, the data exporter may be able to proceed without implementing supplementary measures if he can demonstrate that there is no reason to believe that the foreign jurisdiction will not treat the personal data transferred as unfair. This is referred to as the “fair balance” approach. However, this is a high bar and the PDPO does not provide much flexibility in the application of this principle. Nonetheless, the requirement to carry out a transfer impact assessment is a good practice that any business should consider. It will assist in the prevention of data breaches and in minimising the impact of any potential penalties.