Data hk is an online resource dedicated to Hong Kong’s data protection law, first passed in 1996 and amended in 2012 and 2021. This law establishes data subject rights as well as regulates collection, processing, holding and use of personal data through six data protection principles.
Data subjects have the right to be informed of the purpose and recipients for which their personal data will be collected and transferred, typically by being given a PICS by their data user at or prior to collecting their personal information. When data transfers occur to third parties, data users must obtain voluntary and express consent of data subjects prior to doing so.
The PDPO defines personal data as information that identifies or relates to an identifiable or identifiable individual, consistent with international norms and used in other legislative regimes such as China’s Personal Information Protection Law or Europe’s General Data Protection Regulation.
Identifying who controls data usage within Hong Kong is also key when assessing whether the PDPO extends beyond its borders. While certain privacy laws include extraterritorial application, Hong Kong’s PDPO only applies to users residing or conducting activities within its boundaries who collect, hold, process or use personal data collected or generated within Hong Kong.
Google, Twitter and Facebook all announced within one week of the National Security Law’s passage last year that they suspended direct requests for users’ data from Hong Kong authorities, instead opting to direct these through US Justice Department via an MLAT which may take months. Other companies including Apple and Microsoft published transparency reports showing they fulfilled between 19-50% of government requests for user information in six months after passing of this law.
Under the PDPO, data users are obliged to implement arrangements and contractual obligations designed to ensure any agent or contractor under contract with them complies with its provisions – particularly DPP2 and DPP4. This includes notification of any breaches and making sure all onward transfers comply with recommended model clauses.