Data Protection and Cross-Border Transfers in Hong Kong
In many companies there is so much data that it can no longer be stored in a single database. So they need a centralized storage location where all the information can be stored, and that is the reason why the data lake has become so popular. The idea is that all the data is collected from various sources, and then it can be analyzed in the data lake, and insights can be obtained on a variety of topics. Then, the data can be used to make better decisions, and to improve customer service.
One of the biggest challenges facing a business is to comply with the data protection regulations that are in place. This is particularly true if the company uses any technology that learns about individual behaviour, or processes information that will impact an individual. These types of technologies are common in a wide range of industries, including telecommunications, retail, banking, finance, and more. This makes it very important for these businesses to have a strong compliance program in place to ensure that they are in compliance with all of the regulations.
Many of the data privacy rules in place around the world now include some element that covers cross-border transfers of personal data. In Hong Kong, the data privacy laws are regulated by the Privacy Commissioner for Personal Data (PCPD). The PCPD has published recommended model clauses to be included in contracts relating to the transfer of personal data across borders. These are intended to help data users fulfil their obligations under the PDPO and its data protection principles.
The first consideration in a case of a data transfer is whether it falls within the scope of the PDPO. This is determined by considering the data user’s operations controlled in, or from, Hong Kong. Then, the PDPO considers whether the data user is actually dealing with “personal data”. This term is defined in the PDPO as referring to identifiable information about an individual.
This includes such things as name, identification number, location data, and online identifiers. It also includes such factors as their physiological, genetic, mental, economic, cultural, or social identity.
A data user must obtain the voluntary and express consent of the data subject before transferring their personal data outside Hong Kong, or using it for a purpose other than those set out in the PICS. The data user must also comply with the other provisions of the PDPO.
For example, the PDPO requires that the data user protects the personal data transferred to a third country from unauthorised access, modification, or disclosure. It must also ensure that the third party does not use or disclose the personal data for purposes other than those agreed with the data user, and it must put in place appropriate safeguards to prevent any such misuse or disclosure. The PDPO requires the data user to notify the PCPD of any breach or unauthorised transfer of personal data. This must be done in a timely manner.