Data Protection First Principles in Hong Kong
Data is now a vital element of the economy, as important as financial capital, or raw materials for manufacturing. A car manufacturer cannot produce a new model without it, nor can a service provider make its AI-driven robots fully autonomous without the right data to feed the onboard algorithms. However, the protection of this new economic asset requires more than just a solid business strategy – it also depends on robust compliance with data protection regulation, including regulations on personal data transfers.
A recent discussion paper on potential changes to the Hong Kong Personal Data Protection Ordinance (“PDPO”) mooted a move towards a definition of ‘personal data’ that is more in line with international norms. This would catch a wider range of use cases, and may add complexity to the compliance requirements for businesses that transfer data globally.
As a result, it is important for businesses to understand how the application of these concepts differs between jurisdictions. Padraig Walsh from the Data Privacy practice group at Tanner De Witt, a leading global distributor and solutions aggregator for IT ecosystems, walks us through some of the key differences between these first principles.
Whether the data hk is subject to PDPO
To be subject to the provisions of PDPO, personal data must be collected for a lawful purpose, and it must be adequate but not excessive in relation to that purpose. In a similar way, data users must expressly inform a data subject on or before collecting personal data of the purposes for which the information will be used, and of the classes of persons to whom the data may be transferred. This is often achieved through the provision of a PICS to be provided on or before collection, although it is not a mandatory requirement under PDPO.
Similarly, once the data has been collected, it must not be used for a different purpose, unless the voluntary and express consent of the data subject is obtained. Transfer is a form of use, so if the original data user wants to transfer the data to another class of person (or for a new purpose) then it must be subject to the consent requirements of DPP3 or DPP5.
In some cases, this will require a data protection impact assessment. This is a formal process that must be completed and approved by the data protection officer before any personal data can be transferred, and there are particular rules that must be followed. In general, the PIA process is a useful tool to help identify the risks associated with a proposed data transfer, and to help assess how these might be mitigated.