Hong Kong data protection laws are internationally-recognized and highly-regarded. The Personal Data Protection Ordinance (PDPO) offers robust rights to data subjects while outlining clear obligations to data users, as well as six data protection principles that regulate collection, processing, storage and use of personal information. PDPO was amended twice since 2012 primarily with regards to acts of disclosing personal information without consent (doxxing).

The HKPDPO recognizes that data transfer to foreign jurisdictions poses risks, and requires data users to take appropriate steps to mitigate those risks. Data exporters should also implement additional measures if their assessment indicates that foreign legislation and practices don’t conform with Hong Kong standards; such supplementary measures might include technical or contractual provisions requiring audit, inspection and reporting, beach notification as well as compliance support and co-operation from their source countries.

HKPDPO also recognises that sub-processors pose risks when transferred to foreign jurisdictions, such as through contractual provisions limiting their ability to access and process transferred data, or through data user ensuring their sub-processor does not store personal information outside Hong Kong.

Under Hong Kong Personal Data Protection Ordinance (HKPDPO), data users must notify data subjects of any proposed data transfer, generally through providing them with a Personal Information Collection Statement (PICS). While the requirement may not be as stringent than under GDPR, providing such notification remains good practice and should be undertaken.

Verifying that data transfer complies with one of the legal purposes set out in PDPO is also an obligation, and can be accomplished by reviewing the PICS to ensure it properly explains why personal data will be transferred as planned; otherwise a revised PICS must be prepared and provided to data subjects.

As modernisation of the PDPO remains in discussion, businesses should remain mindful that Hong Kong’s data transfer framework is rigorous and internationally recognised. If data transfer is essential, companies must follow Hong Kong’s six step data transfer procedure to minimise any risk of breach of PDPO regulations and minimise potential violations; by following this method they can rest easy knowing they are meeting their obligations under this legislation – any breaches could attract substantial fines.