DATA HK is the name of Hong Kong’s new data protection authority. It’s a big deal for businesses that collect and process personal data. Its purpose is to ensure that people’s personal information is protected and used lawfully. Its remit covers a wide range of issues, including the investigation and enforcement of data breaches, and compliance with the six statutory data protection principles (DPPs) that form the core of privacy law in Hong Kong.
For example, the DPPs stipulate that a person’s name and Hong Kong ID number must not be publicly displayed together or made available to people outside the organisation without its consent (DPP 1) and that the organisation should use only the minimum amount of personal data necessary for the purposes it intends to achieve (DPP 2). It is also a requirement under the DPPs that a data user must adopt contractual or other means to prevent data processors within and outside Hong Kong from unauthorised access, processing, erasure, loss or use of personal information transferred by the data user for processing (DPP 2 and DPP 4). Finally, the DPPs also provide that a data user is responsible and liable for any act or omission of its agents, which includes data processors outside Hong Kong, irrespective of whether it could have prevented the act or omission (section 65, PDPO).
If a data user is caught breaching the DPPs, it could be subject to hefty fines. It is therefore vital for businesses to understand the requirements of data hk to ensure compliance and avoid penalties.
Aside from data transfers, the PDPO has significant implications for the way in which companies collect and use personal data. There is a requirement for a DPIA to be carried out before the collection of personal data, and an obligation to comply with six statutory data protection principles. Non-compliance can lead to serious consequences, such as imprisonment.
The PDPO also provides a right for individuals to request access to their personal data held by organisations. This enables them to rectify, block or erase the personal data that is processed in an incorrect manner. The PDPO does not prevent the transfer of personal data abroad, but it does restrict the use of personal data for direct marketing and in relation to criminal investigations or proceedings.
The PDPO also contains an exemption from the use limitations and access requirements for certain purposes, such as the safeguarding of Hong Kong’s national security, defence or foreign affairs, crime prevention or detection, assessment or collection of tax or duty, news reporting and life-threatening emergency situations. It is possible that the PDPO will be amended in future, with a view to moving towards a definition of personal data akin to the GDPR. This would broaden the scope of data that must be covered by the PDPO and increase the compliance measures required for businesses that use data. Nevertheless, even in the absence of further changes to the PDPO, businesses should still be familiar with its provisions and consider how they might differ from those in other jurisdictions.