Data HK – How to Comply With the New Personal Data Protection Ordinance

Data hk is a portal that provides access to more than one million open data sets from international, EU, national, regional and local sources. The datasets are organised into categories and can be viewed using charts, maps, line graphs and cross sectional plots. The portal is free to use.

Modernisation of Hong Kong’s data protection laws is mooted and would increase compliance measures for companies who process information that could impact on individuals. This is particularly the case for those who collect personal data and those which use technologies that learn about individual behaviours or predict their potential impact.

The existing law – the Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) – sets out a comprehensive range of data subject rights and specific obligations for data users. It also provides a series of six data protection principles that govern the collection, processing, holding and use of personal data.

One of the key provisions of the PDPO is that the consent of a data subject must be obtained before a Hong Kong-based company can transfer personal data to a class of persons not set out in its PICS or use it for a purpose not specified in its PICS. This obligation applies whether the data user is collecting personal data from a natural person directly or from another data source.

This is a far more rigorous requirement than is required by many other jurisdictions, which require that the data be processed for a “new purpose” and not simply for the original purpose for which it was collected. However, it is important to remember that the PDPO does not prohibit the disclosure of personal data where it is in response to a valid request from a law enforcement agency or court order.

In this context, it is helpful to note that the PDPO defines “personal data” broadly to include any information relating to an identifiable person. This is similar to the definition of personal data in other regimes, such as the Chinese Personal Information Protection Law and the European Union’s General Data Protection Regulation.

As a matter of good practice, a data exporter should review its PICS and consider taking legal advice in respect of any contractual arrangements with data importers to ensure that the underlying grounds are sufficient for the cross-border transfer. This will be an essential step if the data exporter is to satisfy its PDPO obligations in relation to data transfer issues. A failure to do so may result in a breach of the PDPO. If that happens, a substantial fine may be imposed on the data exporter.