Hong Kong pioneered modern data privacy laws in 1995 with its Personal Data Protection Ordinance (PDPO), including an outright prohibition of cross-border data transfers without legal authority – captured in section 33 of PDPO). Over time however, as privacy laws have progressed internationally, that prohibition has come under challenge and some jurisdictions have eased off on applying it strictly; others, including PCPD (Privacy Commissioner for Personal Data), however have advocated its continuation – yet there seems to be a growing sense that PCPD have changed from advocating implementation as clear policy objectives to indifference as to whether this provision should ever come into play or not.
At the core of this debate lies the definition of “personal data.” Under PDPO, this includes any information which identifies an individual based on criteria such as name, identification number, location data or online identifier that could identify physical, physiological, genetic, mental economic cultural and social attributes of said person – factors like name or identification number being an example. Since most businesses collect such data anyways, businesses feel obliged to comply with its data protection rules even if no personal information leaves Hong Kong.
Under certain conditions, a data user will be required to conduct a transfer impact assessment prior to exporting personal data outside Hong Kong. This assessment can assist the data user in determining if there is a legitimate basis for transfer, and prepare appropriate supplementary measures; such measures could include standard contractual clauses or agreements between data exporter and importer or other technical or organizational measures that must be put in place as additional safeguards.
Companies planning to transfer personal data outside the EU without an adequacy decision from PCPD must first obtain written consent from data subjects prior to transfer. This document must clearly state its purpose and to whom it will be shared; furthermore it must be presented in an understandable language for ease of understanding by data subjects.
Short term, the situation appears unchanging; but its necessity will surely drive change. Demanding efficient and reliable means of exchanging personal data between mainland China and overseas will push change forward; current legal provisions will be tested as business operations increasingly integrate under the one country, two systems principle; results will depend upon both quality of underlying legal framework and enforcement effectiveness; which in turn depend upon both international trends as well as how these developments are addressed in domestic law.