As cross-border data transfer increases, compliance with Personal Data Protection Office laws on personal data transfers becomes ever more essential. This is particularly significant given that Hong Kong’s data regulation laws derive from other jurisdictions’ data privacy regulations – including mainland China. Padraig Walsh from Tanner De Witt’s Data Privacy Practice Group shares some key considerations when exchanging personal information between businesses.
Under the PDPO, one of the main issues pertaining to data transfer involves whether an operation falls into the category of “data users” defined by this law and thus triggers certain legal obligations (for instance those related to complying with six data protection principles). A person can determine their status as data users by controlling any aspect of collecting, holding, processing or using personal data – if this doesn’t happen then issues of transference likely won’t arise.
But many factors can determine who constitutes a data user, including their intentions when collecting personal information and what purpose they will put it to. For example, taking photos at concerts usually doesn’t count as collecting personal data because its purpose isn’t intended to identify individual persons; other examples might include CCTV recordings, logs of people entering car parks and records of meetings that do not identify specific people as data collectors.
One additional consideration in collecting personal data from public sources is whether or not someone has given their consent for its collection. Valid consent requires legality in its obtaining; for data collected publicly this requires looking at both DPP 1 and 3 provisions from the PDPO lawbook: DPP 1 states that data must only be gathered using means that are both lawful and fair in its collection, while DPP 3 requires it for its intended use with their prescribed consent from data subjects.
Businesses based in Hong Kong increasingly must conduct transfer impact analyses (“TIA”) due to the application of laws from other jurisdictions – particularly within the European Union (“EU”). The EU General Data Protection Regulation (“GDPR”) has proven itself as such an instrument. An evaluation of transfer impact analysis may be necessary if a Hong Kong data importer agrees to standard contractual clauses proposed by an EEA data exporter under GDPR and/or any other regulations from EU member states. A Transfer Impact Analysis will follow a similar procedure as any transfer governed by PDPO; specifically, review of PICS to ascertain whether or not the purpose for which data transfer occurs fits with those detailed there.