The Personal Data Protection Ordinance (PDPO) and Data Transfer Regulations

Several US tech companies — including Google, Facebook and Twitter — said within a week of the national security law’s enactment that they had paused handling requests for user data from Hong Kong authorities until they reviewed the new law. But the move left those companies vulnerable to attacks by the government on the basis of the new law’s language around “doxxing,” the malicious publishing of private or identifying information about individuals online.

The PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data. It requires a data user to expressly inform the data subject on or before the collection of personal data of the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred. The PDPO does not include any express provision conferring extra-territorial application on its jurisdiction.

However, the PDPO does not define “use” in such a way that it excludes transfers from Hong Kong to other locations. Moreover, data transfer is a key feature of the internet and of many business models. Padraig Walsh from Tanner De Witt’s Data Privacy practice group takes a look at the legal implications of data transfers, whether between Hong Kong and other locations or between different entities within the same entity.

A defining feature of the PDPO is its application to all parties who control the collection, holding, processing or use of the personal data, regardless of where in the world they are located. A “data processor” is a person who processes personal data on behalf of a data user. In many cases, a data processor is located outside of Hong Kong. Under the PDPO, a data processor must comply with the six DPPs, including DPP2.

DPP4 states that a data processor shall ensure that any third party to whom it provides personal data receives only that information necessary for the purpose for which it was provided and that such information is secured against unauthorised access, processing, erasure or disclosure. The PDPO also makes it clear that the data user is liable for a breach by its processor or agent.

In a world where personal data is being constantly transmitted, the laws that regulate these transfers are critical to minimise legal risks and to promote efficient compliance across organisations. Padraig Walsh, a partner in Tanner De Witt’s Data Privacy practice, will outline the legal issues to consider in relation to personal data transfers between Hong Kong and other locations or between different parties in Hong Kong. He will also discuss how this context can impact on the interpretation of key data privacy principles and their application in Hong Kong.