Data hk is a website that aims to provide information and resources on various data-related issues in Hong Kong. The site is maintained by the Office of the Privacy Commissioner for Personal Data and is designed to be a one-stop resource for people seeking information on data protection in Hong Kong. The website offers a range of practical information and tools such as guides, FAQs, and links to other useful websites. It also includes a discussion forum and a blog for users to post questions and comments.
One of the key issues that arises in respect of transferring personal data abroad is whether or not the foreign jurisdiction’s laws and practices meet Hong Kong standards. As a starting point, the data exporter should identify and adopt any supplementary measures that are necessary to bring those foreign jurisdictions’ legislation and practices up to Hong Kong standards. These might include technical measures such as encryption or anonymisation and contractual measures such as beach notification, audit, inspection and reporting, and compliance support and co-operation.
Firstly, it is important to consider whether or not the data transfer falls within the scope of the PDPO. The PDPO applies to any person who controls the collection, holding, processing or use of personal data in, from or in relation to Hong Kong. This is a narrower test than that contained in some other data privacy regimes, which tend to confer extra-territorial application.
It is also worth bearing in mind that data transfer obligations under the PDPO are triggered by a person’s use of personal data. So, for example, it is important to bear in mind that if a person intends to use personal data for direct marketing purposes and does not obtain the consent of the data subject, he will be in breach of the PDPO. Such a breach can be punishable by a fine of up to HK$500,000.
Finally, it is worth remembering that the PDPO provides that a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which it will be used and the classes of persons to whom the data may be transferred. This is an obligation that must be met whether or not the data is being transferred overseas.