There is a growing recognition of the need to improve global data privacy protection and increase accountability for those who control personal data. These developments have resulted in more than 60 countries and territories introducing new laws or reforming existing ones. As a result, it is increasingly important for businesses to ensure their activities are compliant with data hk laws. In order to do so, they must understand the legal frameworks that govern them.

The data hk law that applies to most Hong Kong businesses is the Personal Data Protection Policy (“PDPO”) which establishes data subject rights, sets out specific obligations to data controllers and regulates the collection, processing, holding, use and disclosure of personal data through six data protection principles (DPPs). The PDPO came into force on 20 December 1996 and has been amended several times. The most significant amendments, which took effect in 2012 and 2021, related to regulating the use of personal data for direct marketing purposes and the act of disclosing personal information without consent (‘doxxing’).

Section 33 of the PDPO prohibits the transfer of personal data outside Hong Kong unless it is necessary for the performance of a contract with the data subject or with the purpose of fulfilling a public task, provided that the data user has expressly informed the data subject on or before the collection of his personal data of the purposes for which the data will be used and has obtained his consent. There have been concerns from the business community that this restriction could lead to unnecessary and unnecessarily onerous compliance requirements and that it would be difficult to achieve compliance. The PCPD has therefore developed guidance in relation to this and recommended model clauses that can be included in contracts dealing with cross-border data transfers.

Unlike some other data privacy regimes that contain an element of extra-territorial application, the PDPO does not include any explicit provisions conferring extra-territorial jurisdiction. However, it is likely that if a Hong Kong entity is the data importer of personal data from a person resident in the European Economic Area (“EEA”) or is a data exporter of personal data to the EEA, then the PDPO will apply to that data flow.

The PDPO defines personal data as information relating to an identifiable natural person. This definition is broadly consistent with the definition of personal data in the GDPR and other legislative regimes worldwide. Identifiable natural persons can be identified by reference to their name; identification number; location data; or any other factor that is specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. A ‘processor’ is defined as any person who processes personal data on behalf of the data user and the PDPO makes clear that a data user is liable for a processor’s breach of the DPPs. Data users are also required to ensure that contractual arrangements with data processors ensure that the DPPs are complied with.