The global landscape for data privacy is evolving rapidly. Countries and regions around the world have created their own data protection laws that govern how businesses can use personal information. These laws are based on a set of foundational principles that protect data subjects’ rights. They establish obligations for data controllers and set out data subjects’ rights to control how their personal information is collected, used, shared, or stored. Businesses that violate these laws face penalties.
Hong Kong’s data privacy laws are based on the six Data Protection Principles of the Personal Data (Privacy) Ordinance (“PDPO”). This legislation governs how organizations can use personal information to meet their business needs. The PDPO also provides data subjects with a number of rights to protect their personal information, including the right to request that their data be erased when it is no longer needed.
Whether your organization is based in Hong Kong or not, if you have employees that handle personal information from data subjects in the territory, you must comply with the PDPO. This means ensuring that you have proper controls in place to safeguard that information and that your employees understand your organization’s policies and procedures regarding personal information.
While the definition of personal data in the PDPO is clear, there are many nuances that businesses need to consider when it comes to how this information is used and who it is transferred to. To be considered “personal data,” the information must concern a person who is identifiable by reference to an identifier such as name, address, phone number or other similar identifiers. The PDPO defines “use” to include disclosure, transfer and any other processing of the data. This includes activities such as making the personal data public and using it for direct marketing.
One key issue is that the PDPO states that a data user must expressly inform a data subject on or before collecting his personal information of the purposes for which the data will be used and, in case of transfer, of the classes of persons to whom the personal information may be transferred. This requirement is in line with the general definition of personal information under other data protection laws such as the Chinese Personal Information Protection Law and the European Union’s GDPR.
Moreover, the PDPO requires that personal data be held only for as long as is reasonably necessary for the purpose for which it was collected. This is to prevent over-identification, which can lead to discrimination or adverse effects on the data subject. Lastly, the PDPO allows individuals to register their telephone numbers on a Do Not Call registry to opt out of receiving unsolicited phone calls from salespeople or marketers. If you are a business that collects and uses personal information in the territory, be sure to stay up to date on the latest developments in the PDPO. In particular, watch for the proposed changes to the definition of personal data that are currently under consideration by the PCPD.