The data hk project is about the protection and transparency of personal data used in business. A number of businesses use information that has an impact on individuals, either by predicting their behaviours or monitoring their activities (for example, tracking people on the internet). Such data processing can be subject to various regulatory regimes, including privacy laws, but the focus of this article is upon the protection of cross-border personal data transfer from Hong Kong.
In Hong Kong, the PDPO requires any person who controls personal data to fulfil a range of statutory obligations. This includes the requirement to protect personal data at all times, whether or not it is in physical or electronic form and regardless of the location of the data. This also extends to protecting personal data when it is being transferred to another entity.
If a person transfers personal data abroad, this triggers a requirement to carry out a transfer impact assessment and a further obligation to implement any necessary measures that bring the level of protection in the foreign jurisdiction up to the standards required by the PDPO. These might include technical measures such as encryption, anonymisation or pseudonymisation, split or multi-party processing and beach notification. They could also include contractual provisions such as obligations on audit, inspection and reporting, liability and compliance support and co-operation.
The transfer impact assessment should consider both the legal context of the transfer and the impact on data subjects. This is particularly important if the assessment reveals that the foreign jurisdiction does not have data protection laws comparable to those of the PDPO. In such cases, a supplementary measure might be to agree to standard contractual clauses proposed by the European Data Protection Supervisor (EDPB) and contribute to their implementation.
As well as the statutory obligations mentioned above, there is a strong business case to adhere to best practice and ethical standards when using personal data. This will not only ensure that companies comply with data protection law, but will also help them to minimise the risk of breaches, fines and reputational damage.
This is an extract from the main article.