Data hk is an easy-to-use website that enables people to make access requests to telecommunications service providers. The site also provides a tool for people to check whether their providers are adhering to their obligations under the PDPO.
The website was created by a number of individuals, including law enforcement officials and privacy advocates. Its development was funded by a grant from the Hong Kong Foundation for Innovation and Technology. Since its launch in June, the website has received more than 16,000 visits and has received positive feedback from users. The website’s popularity reflects the high level of interest in data privacy in Hong Kong.
A major challenge facing the Government is how to deal with the increasing cross-border flow of personal data. This trend is driven by both business and social factors, including the deeper integration of mainland China as part of Hong Kong under the “one country, two systems” principle, the rapid growth of e-commerce, and the desire for more efficient means to transfer personal data.
It is important to remember that there are still significant and onerous obligations that data users must fulfil in respect of transfers of personal data. In the context of the PDPO, these include a requirement to undertake a transfer impact assessment where applicable (DPP 2(3)), a requirement to notify data subjects in relation to any changes in purpose for which their personal data is collected and used (DPP 1(2)), a requirement to prevent processing of personal data that could be identified as belonging to a particular person, or a group of persons, from being transferred out of Hong Kong where it is likely to result in unauthorised disclosure, destruction, loss or modification of such data (DPP 4(2)) and a requirement to ensure that contracts, arrangements and any other means adopted by a data user for transfers of personal data do not contain terms that are inconsistent with the six core DPPs in the PDPO (DPP 6).
Another issue is that a data user must comply with any laws of a jurisdiction to which a personal data transfer is made. This may require a data user to obtain an adequacy or equivalent regime approval from the jurisdiction in question. This can be a time-consuming process, with the potential for disputes and litigation in cases where a data user has not obtained approval from the relevant supervisory authority.
Finally, data users must comply with the requirements of the PDPO in respect of transfers of personal data to countries that do not have an adequacy or equivalent regime in place. This may involve undertaking a process known as a self-assessment or a bilateral agreement between the relevant authorities. This can be a lengthy and expensive exercise, with the potential for conflicting interpretations of laws and practices in different jurisdictions. For many small to medium-sized enterprises, this may not be feasible. In these circumstances, relying on standard contractual clauses proposed by an EEA data exporter under GDPR might be the only practical way of complying with the requirements of the PDPO in relation to data transfers to foreign jurisdictions.
