Data Hk and the PDPO
The development of data hk is part of the Hong Kong government’s plan to improve its financial infrastructure, boost economic growth and enhance financial inclusion. The new platform will facilitate the exchange of data between banks and other sources of commercial data, reducing duplication and making data sharing more efficient and secure. It is expected to help businesses create more innovative financial products and services, and boost the overall appetite for fintech solutions in Hong Kong.
The new data hk platform will be powered by the HKMA’s Fintech 2025 strategy, which will help to build up the overall ecosystem for fintech in Hong Kong. By integrating with the global Fintech Data Hub, the new platform will enable more seamless data-sharing between local and foreign financial institutions and enhance the efficiency of cross-border financial transactions. The new platform will also allow the HKMA to better monitor and regulate the emerging financial technology (“fintech”) industry in order to protect consumer interests.
In Hong Kong, the PDPO provides for six data protection principles and establishes data subject rights and specific obligations to data users. In addition, the PDPO governs the collection, processing, holding and use of personal data through the following four laws:
A key issue that has arisen is the definition of “personal data”. The PDPO was first enacted in 1996 and it was in line with international norms on this term at that time. However, other legislative regimes have since updated the definition of personal data – including the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area.
As a result, the PDPO is often applied in a more restrictive manner in these jurisdictions than in Hong Kong. In addition, the PDPO does not contain any express provisions conferring extra-territorial application.
This issue has become a significant concern because many companies that handle personal data may transfer it to other jurisdictions. For example, some companies have incorporated clauses in their service agreements that permit them to process personal data transferred to their servers overseas. This may be done in order to meet regulatory requirements in those jurisdictions, or to reduce costs by avoiding the expense of compliance with the PDPO in Hong Kong.
One of the PCPD’s primary responsibilities is to promote awareness about the PDPO. It does this through education, workshops and other initiatives. It also works with the financial sector, government agencies and the public to provide guidance on the application of the PDPO. The PDPO has been widely adopted in the banking and finance sectors, and is now being extended to other industries, such as technology and health care.
In order to comply with the PDPO, data users must inform data subjects of the purposes for which their personal data is collected and used, and of the classes of persons to whom it may be transferred. The information must be given on or before the collection of personal data, unless the PCPD otherwise specifies.