Personal Data Collected and Transferred in Hong Kong
The data hk is the central database of Hong Kong’s personal information. It records the details of every person living in Hong Kong, including their name, nationality, date of birth and occupation. The database also stores other information such as medical records, criminal convictions and civil judgments. The data hk is used by the police and other government agencies to investigate crime and to process applications for various types of public services. The data hk is also used by businesses to help them decide which customers and potential clients are most likely to buy their products or services.
The personal data of a person is considered sensitive by the Hong Kong Privacy Commissioner for Personal Data (“PCPD”), and it is only permitted to be collected, disclosed or transferred with consent. This is a key principle in the PCPD’s Privacy Code (“Code”) and in the six data protection principles that form core data obligations under privacy law in Hong Kong (Data Protection Principles or “DPPs”). However, it may be easier to collect personal data than it seems at first glance. This is because, under the code, a person’s personal data may be considered to have been collected if it is in the public domain.
In this article, we explore the legal issues that arise when an individual’s personal data is collected. We also consider the legal implications of transferring that personal data to other jurisdictions, and we offer advice on how to avoid any potential issues in this area.
What is personal data?
The term ‘personal data’ is broadly defined in the Code and includes any data that relates to an identifiable natural person, such as name; identification number; passport or identity card number; location data; online identifier; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This definition is broader than the one in the European Union’s General Data Protection Regulation (“GDPR”), which makes reference to the concept of “adequate protection”.
It is not mandatory for a business to carry out a transfer impact assessment when preparing to export personal data to another jurisdiction. But a transfer impact assessment will help the business to assess whether the proposed data export is appropriate and to identify any supplementary measures that may be necessary to bring the level of protection in the foreign jurisdiction up to Hong Kong standards. These supplementary measures could include technical measures such as encryption, anonymisation or pseudonymisation, and contractual provisions regarding audit, inspection and reporting, beach notification, and compliance support and co-operation. They may also involve legal advice in respect of the standard contractual clauses that a data exporter has agreed to with a data importer. In these circumstances, the EEA data exporter will be able to enforce those clauses under GDPR. In contrast, any enforcement action against a Hong Kong business that agrees to those clauses will be subject to the laws of the jurisdiction of the data importer.