Data Handling in Hong Kong
Data hk is the practice of gathering and analysing information for use in business decisions. This information may come from primary field observations while secondary sources such as published reports can provide additional data for analysis. Data hk can help businesses improve customer satisfaction and profitability, make more informed policy decisions, and measure their own performance. In addition, it can also be used by government agencies to develop statistics and monitor trends in various sectors of the economy.
Generally, personal data is not transferred without the prior consent of the individual to whom it relates. This is a fundamental principle under the Hong Kong Data Protection Law (PDPL). A data user who wants to transfer an individual’s personal data outside of Hong Kong must first verify that the proposed data transfer meets the six core data obligations set out in the PDPL, including Data Protection Principle (“DPP”) 1 and DPP 3.
A DPP1 requirement requires that personal data should be collected by means which are lawful and fair in the circumstances of the case. A DPP3 requirement states that personal data may not, unless otherwise provided for by law, be used for a new purpose. It is therefore necessary to obtain the express, voluntary and explicit consent of the individual to whom the personal data relates before a data user can transfer an individual’s personal data to a third party or use such data for a new purpose.
In the context of cross-border data transfers, it is also becoming common for a data exporter to conduct a “transfer impact assessment” before transferring an individual’s personal data to another location. The PCPD has published recommended model clauses to be included in contracts relating to such transfers.
A transfer impact assessment involves a data exporter reviewing its PICS to determine whether the processing of the particular personal data is required by law. A review of the laws of the destination jurisdiction is also necessary.
Unlike GDPR, which requires that an adequacy decision be obtained from a foreign jurisdiction before the PDPO allows an EEA data exporter to transfer personal data to a non-EEA location, there is no such requirement under Hong Kong law. However, this is likely to change in the future as the volume of cross-border data transfers with Mainland China and internationally increases.
In addition, a Hong Kong data importer who agrees to the standard contractual clauses of an EEA data exporter must be prepared to submit itself to the jurisdiction and co-operate with the competent supervisory authority of the data exporter in any procedures aimed at enforcing compliance with those clauses. It is important for the data importer to understand these requirements, so that it can carry out a risk-based transfer impact assessment and ensure that its own procedures are aligned with those of the data exporter. Alternatively, the data importer can take steps to mitigate any adverse effects of the transfer by implementing appropriate supplementary measures. These are all part of good data ethics.