Regulatory Compliance With the PDPO and Other Privacy Laws

If you operate a business that relies on data, it is important to understand how regulatory compliance with the Personal Data (Privacy) Ordinance (PDPO) and other privacy laws may affect your activities. Padraig Walsh, partner at Tanner De Witt, explains some key points to note about data transfers and how they might affect your operations.

Data transfers are common between businesses and are a necessary part of many operations. However, it is vital to understand how regulatory compliance with the PDPO and other privacy laws may impact your ability to transfer data either within or between Hong Kong-based entities. This article by Tanner De Witt partner Padraig Walsh helps to explain some of the key points to consider when dealing with personal data transfers, whether within or between Hong Kong-based entities.

The definition of personal data in PDPO includes data that can be used to identify an individual or could be reasonably expected to do so, and data relating to that person’s private life, including his health, family, political opinions, financial status, religious beliefs, sexual orientation and other matters of public interest. Personal data may be collected only for a lawful purpose and the collection of the information must be proportionate to that purpose. The information must be accurate and up-to-date, and must not be kept for longer than is necessary for the purpose for which it was collected.

A data user must expressly inform the data subject on or before collecting his personal data of the purposes for which the information will be used, and of the classes of persons to whom the data will be transferred. A transfer of personal data is a form of use, so the PCPD has made clear that personal data can only be transferred to a class of third parties that was notified to the data subject on or before the original collection of his personal data.

Where a data user intends to transfer his personal data outside Hong Kong, he must, prior to the transfer, obtain the voluntary and express consent of the data subject. He must also, before the transfer, make a written assessment of the foreign jurisdiction’s legal and regulatory framework and practices, and adopt contractual or other means to ensure that personal data transferred to the foreign jurisdiction is protected against unauthorised access, processing, erasure, loss or use by that processor, and that it is not retained for longer than is necessary for the purposes for which it was processed (DPP2 and DPP4).

The PDPO imposes strict penalties for data-related offences, including fines and imprisonment. The Privacy Commissioner has a broad range of investigative powers and can proactively conduct investigations, irrespective of whether or not complaints have been lodged. In addition, the PDPO makes it a criminal offence to engage in direct marketing without obtaining an individual’s consent and fines can be up to HK$500,000.

The Privacy Commissioner is also able to impose civil fines on data users who breach the PDPO, and may do so in conjunction with the police. In recent years, the PCPD has focused on investigating and prosecuting a number of cases involving direct marketing practices.