When a company transfers personal data to another jurisdiction, it must do so in accordance with Hong Kong’s law. The Personal Data Protection Ordinance (PDPO) sets out six data protection principles and applies to both the collection and processing of personal information. It prohibits unauthorized access, disclosure, erasure, loss, or use of personal information. It also requires a data user to have technical and contractual measures in place to ensure that the foreign jurisdiction’s laws and practices are compliant with the PDPO.
Cross-border data transfer is a necessary part of business, but it also poses a risk for the privacy of personal information. Consequently, it’s important to understand how to protect data while still allowing for the free flow of information. The first step is to conduct a transfer impact assessment. This involves analysing the risks associated with a data transfer, identifying any steps that can be taken to minimise those risks, and taking legal advice where necessary.
The PDPO also establishes data subject rights, and provides specific obligations to data controllers and processors. A data user is liable for its agent’s or contractor’s breach of the PDPO, which includes sharing personal information without consent. Moreover, the PDPO makes it illegal to disclose personal information in public or online without consent. This act is commonly known as doxxing.
In addition, the PDPO prohibits the transfer of personal data from Hong Kong to countries that don’t offer adequate protection. This requirement is based on the principle that data subjects have a right to expect their personal information to be protected when it’s transferred outside of Hong Kong.
This is why it’s vital to make sure your data transfer policy complies with the PDPO, even when it’s not required by law. Otherwise, you could be facing heavy fines or even a lawsuit. In the worst-case scenario, you may be subject to injunction or a restraining order, which would prevent you from continuing to collect and process personal data. This would significantly disrupt your business operations, and may even damage your reputation. This could be particularly damaging in the event of a data breach. A restraining order is usually issued if the court finds that there are reasonable grounds for believing that the personal data you are processing is at risk of being stolen or misused. The restraining order can be lifted once the personal data is no longer at risk of being stolen or misused. If you’re not able to lift the restraining order, your business could face fines of up to HK$20,000. For this reason, it’s important to consult a data protection specialist before transferring any personal information abroad. They can help you design a comprehensive, robust, and legally-compliant data transfer policy for your business.