Data hk provides access to government-released datasets available online and serves to facilitate research, policy formulation, needs assessment and monitoring and evaluation of public services in health and education. While valuable for both business and researchers alike, Data HK should not be seen as the solution to all your data protection and privacy problems; its resources do not guarantee you protection of personal information nor satisfy regulatory demands for data protection and privacy requirements.
Hong Kong pioneered modern data privacy laws in 1995 with section 33 as its cornerstone, prohibiting any transfer of personal information outside Hong Kong without meeting certain conditions. Since then, several jurisdictions have included some form of extraterritorial application into their data privacy laws.
Hong Kong may appear out of step with international trends, especially given the increased emphasis on adequacy and equivalent regimes as an approach to compliance, but its position can be explained through specific reasons. Increased cross-border data flows are considered vital to Hong Kong’s economy; their free flow has even been described by Government officials as one of the foundations of their success. As such, business community has been reluctant to accept changes that could undermine these benefits or lead to unnecessary compliance costs that might compromise them.
One reason for resistance to change has been a lack of evidence that data transfers have undermined the protections provided by PDPO. This line of argument was supported by PCPD which issued guidance and model clauses for contracts concerning data transfers in 2014 as well as providing input into a study of business impacts commissioned by Government in 2017.
Finaly, many data transfers do not fall within the purview of the PDPO even when they involve identifiable individuals’ personal information. Under PDPO requirements, data users are obliged to notify each person about the purposes for collecting their personal data as well as who it may be transferred (DPP 1-3), with this obligation usually fulfilled via inclusion in a PICS at time of collection – unlike under GDPR which mandates this consent be expressed and informed prior to collection.
Note also that any Hong Kong data importer who agrees to standard contractual clauses proposed by an EEA data exporter must conduct a transfer impact assessment and inform data subjects affected. The PCPD is currently considering expanding this obligation so as to cover more circumstances; potentially this new set of requirements could come into force before year’s end – perhaps leading to the elimination of having to submit to jurisdiction of an EEA supervisory authority as part of these arrangements.