Hong Kong recently unveiled a data policy with the intention of hastening digital infrastructure construction, recruiting skilled labor and encouraging the free flow of data. Additionally, this new data policy seeks to safeguard personal information while protecting data privacy; it contains an extensive set of obligations for data users which is intended to be enforced via the Personal Data (Privacy) Ordinance.

The Personal Data Protection Ordinance (PDPO) establishes data subject rights, controller obligations and regulates collection, processing, holding and use of personal data through six data protection principles. First enacted in 1996 and amended significantly in 2012 and 2021, among other things it prohibits disclosing personal information without consent and penalties are applied accordingly for “doxxing.” As an important legal framework it sets data protection standards in Hong Kong as well as numerous countries in Asia.

Personal data refers to any information that can be used to directly or indirectly identify an individual, such as his name and HKID number. According to the PDPO, an organization’s staff card with details such as an employee’s name, company name, photograph and employee number likely constitutes personal data that must be protected in accordance with its provisions.

Under the PDPO, data users must inform data subjects prior to collecting personal data about its intended uses and recipients – similar to the requirements under GDPR but less onerous; additionally, transfers will only be approved if their new purpose fits within the original purpose.

Data exporters must assess the laws and practices of their destination jurisdiction to see whether they meet Hong Kong’s standards for data protection. If this assessment reveals otherwise, data exporters must take additional measures – either technical or contractual in nature – in order to meet those outlined by PDPO. These may include encryption, anonymization or pseudonymisation as well as additional contractual provisions covering audit, inspection reporting beach notification compliance support co-operation.

Finally, under PDPO an exporter of data must submit to and cooperate with any procedures conducted by the competent supervisory authority of its destination jurisdiction to ensure compliance with PDPO. While this step can be significant it does not compare with GDPR requirements in terms of onerousness.

The PDPO provides data subjects with substantial legal protections, and is enforced stringently by the PCPD. Enforcement tools range from guidance and codes of practice issuance, formal investigations, fines to imprisonment – so when sending data outside Hong Kong it is vital that users take note of its heightened legal requirements before sending any data out; failing to do so could be serious, potentially harming a brand’s reputation irreparably.