The Privacy Commissioner’s Website – Data Hk

Data hk provides individuals in Hong Kong with an easy and safe platform to share and access personal data, building trust among various parties while exchanging information between different entities with the aim of strengthening trust and confidence in personal data sharing.

This site allows users to search and view public data sets, while helping raise awareness of personal data issues. The Office of the Privacy Commissioner for Personal Data operates this public service by safeguarding and promoting protection of personal data in Hong Kong.

This website provides model clauses and advice for including cross-border transfers into contracts, while meeting obligations under Section 33 of the PDPO. These recommended clauses have been designed with flexibility in mind so they can easily fit into contractual arrangements with data importers (whether as separate clauses or contract provisions within an overall commercial agreement) while meeting business needs and legal risks involved.

Section 33 of the PDPO states that any use of personal data that could identify living individuals must be lawful. This rule applies even if such data already does not permit for direct identification; an example would be taking a photograph at a concert without intending to identify particular people; similarly CCTV recordings or records of meetings do not constitute collection under Hong Kong law, provided their purpose is not intended to identify particular people.

As part of its obligation under Section 33, data exporters must clearly and expressly state in its personal information collection statement (PICS) what classes of individuals the data will be transferred to and why. This requirement is far less onerous than GDPR where businesses would need a record of all personal data transfers outside the European Union and verify whether these transfers were lawful.

PICS must specify that, upon request by any data subject, data users must conduct an assessment of the transfer’s impact on personal data protection in the foreign jurisdiction, as well as take necessary supplementary measures if this assessment reveals noncompliance with PDPO standards by laws and practices there. These may include technical measures like encryption, anonymisation or pseudonymisation; split processing and multi-party processing as well as contractual provisions mandating auditing, inspection, beach notification as well as compliance support and co-operation obligations.

Hong Kong’s current status may come as a shock, yet its reasoning makes sense in several regards. One factor is that data transfer will become ever more essential between mainland China and internationally, and to protect Hong Kong’s legal system as a whole in the interests of all stakeholders.