Kelly Huang - Data Privacy Consultant
Background
In 1995, Hong Kong introduced the Personal Data (Privacy) Ordinance (PDPO), which is one of the earliest laws in Asia to comprehensively protect personal information. However, Article 33 of the Ordinance, which deals with cross-border data transfer, has not been implemented yet, even after the revision of the Ordinance in 2021.
On the other hand, mainland China implemented the Personal Information Protection Law (PIPL) in November 2021, which includes provisions regarding cross-border data transfer. Recently, the Hong Kong Innovation,Technology and Industry Bureau (ITIB) and the Cyberspace Administration of China (CAC) jointly released “The Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”. These guidelines provide a template for standard contracts and aim to facilitate the smooth cross-border movement of personal information in the Greater Bay Area (GBA).
Example
Hong Kong companies working with businesses in the Greater Bay Area can use a standard contract to clearly define their rights, obligations, and responsibilities regarding the cross-border transfer of personal information. For example, when Hong Kong educational and human resources institutions collaborate with mainland companies for activities like student enrolment, recruitment, or talent exchange, they need to transfer personal information. To ensure compliance, both parties should sign the standard contract. The Hong Kong company, as the data provider, must confirm the legality of data sharing, conduct data protection assessments, inform, and obtain consent from individuals. They should only share necessary data for cooperation and prioritize data security. After the contract takes effect, both parties should file records with the Internet Information Office of Guangdong Province and either the ITIB or the Office of the Government Chief Information Officer (OGCIO).
Trends of Data Compliance in Hong Kong
The Hong Kong government encourages businesses to take the lead in cross-border data flow by signing the GBA Standard Contract as a compliance measure to ensure the privacy and security of personal information. Additionally, we have taken note of the “Policy Statement on Facilitating Data Flow and Safeguarding Data Security in Hong Kong” issued on December 8, 2023, which mentions the government’s commitment to studying and revising the PDPO in order to align with international privacy protection standards, strengthen personal information protection, and address challenges posed by technological advancements.
It is evident that the Hong Kong government is implementing various measures to enhance the protection and regulation of personal information privacy and security. Personal information protection is a long-term and complex issue. We recognize the importance of personal information protection and always adhere to relevant laws and regulations to ensure the lawful and compliant use of personal information. We are also dedicated to providing professional services related to personal information protection to meet the needs of society and businesses in safeguarding privacy.