Data HK – Transferring Personal Data Between Jurisdictions
Data hk is the abbreviation of Hong Kong, a city-state and special administrative region of China. It is often abbreviated as HK, , or . The city is located on the south coast of China and is a major international financial centre, with a strong reputation for quality of life. The city is also a hub for technology, innovation and the arts. It is home to many global companies, including telecommunications providers, banks, and financial institutions. However, with the advent of big data and analytics, personal information is now being collected at an unprecedented rate. This is raising concerns about data security and privacy.
There are several key points to consider when transferring data between jurisdictions. This article by Padraig Walsh from Tanner De Witt takes a look at the issues around data transfers, both out of Hong Kong to other locations, and into Hong Kong.
The Hong Kong Personal Data Protection Act (“PDPO”) applies to persons that control the collection, holding, processing or use of personal data in, or from, Hong Kong. The PDPO defines personal data to include any data that identifies or could identify a living individual, and includes data such as names, addresses, email addresses, telephone numbers and biometric data. There are a number of exemptions from the use limitations and access requirements of the PDPO, for example in relation to national security, defence and international relations, crime prevention and detection, assessment or collection of taxes or duties, law enforcement, news activities, legal proceedings, and life-threatening emergency situations.
In addition to these exemptions, the PDPO contains provisions that set out recommended model clauses for use in contractual arrangements between data exporters and data importers. These model clauses are intended to ensure that onward transfers of personal data will be subject to the same or substantially similar data protection obligations as those contained in the contract between the data user and processor.
As a result, data transfer laws in Hong Kong are somewhat different from those in other parts of the world. This may seem strange given the proximity to mainland China and the international business environment, but it makes sense from a legislative perspective since the principles underpinning Hong Kong’s laws are very similar to those of the EU.
In the future, it will be interesting to see if these differences continue to exist. The need for efficient and reliable means of transferring personal data across organisations, both into and out of Hong Kong, will certainly drive change. In the meantime, the current regime offers a level of compliance that is difficult to match elsewhere in Asia, and provides an attractive option for businesses that are based in or operate in Hong Kong. The HK model is a good way to balance the competing needs of both data exporters and importers, whilst also offering an appropriate level of protection for individuals. Tanner De Witt’s Data Privacy practice group is available to assist you with your enquiries. For more information, please contact the team at your local office.