Data Transfers: The ground rules in Hong Kong20Oct2022
The starting point for understanding data transfers under Hong Kong law is to understand the interpretation of key data privacy concepts in Hong Kong. This may seem obvious first principles, but as Pádraig Walsh from our Data Privacy practice explains, sometimes those principles are same same but different in Hong Kong.
What is personal data?
If data does not constitute personal data, then the statutory obligations of the Personal Data (Privacy) Ordinance (“PDPO”) will not be triggered. Personal data is defined under the PDPO to mean any data relating directly or indirectly to a living individual, from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.
The Hong Kong definition of personal data has not been updated since the PDPO was first enacted in 1996. It was in line with international norms on the meaning of personal data at that time. This term has been updated in other legislative regimes since – such as the Personal Information Protection Law that applies in mainland China (“PIPL”) and the General Data Protection Regulation that applies in the European Economic Area (“GDPR”). Under those laws, personal data means information relating to an identified or identifiable person. In the GDPR, an identifiable natural person is given additional meaning by listing various identifiers such as: name; identification number; location data; online identifier; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. There has been no update as yet in Hong Kong, though change has been advocated by the Privacy Commissioner for Personal Data (“PCPD”).
This might seem a technical point, but it has some surprising outcomes. Let’s take online identifiers for example. A person is identified when the person is distinguished from other persons in the data set and specifically identified. A person is identifiable (in the GDPR sense) when data from different data sets is capable of identifying the person. So, in Hong Kong an IP address alone is not personal data. It does not have biological significance relating to an individual, nor does it have an individual as its focus. An IP address is a specific machine address assigned by an internet service provider to a user’s computer. It is information about an inanimate computer, not a living individual. It cannot alone reveal the exact location of a computer or the identity of its user. In the EU, even a dynamic IP address is personal data as the definition of personal data also relates to an identifiable person (as is the case under GDPR and the predecessor Directive 95/46).
For the present, personal data in Hong Kong may be a smaller pool than is the case in other jurisdictions. If data is not personal data, then obligations under the PDPO in respect of personal data transfers do not apply. Nonetheless, we recommend that a data user should take a cautious approach when compiling its personal data inventory and should still include online identifiers and location trackers.
What is a data user?
A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. Control is a key word here. Also, a person is not a data user if he does not hold, process or use personal data for any of his own purposes.
A data user is the broadly equivalent term in the PDPO to “data controller” under GDPR and in other jurisdictions. However, the definition of data controller under GDPR expressly requires that the data controller determines the purposes and means of processing, which again is a technical difference.
If a person is a data user, then this triggers the obligation of the data user to fulfil a range of statutory obligations under the PDPO. A key obligation is that the data user must not contravene a data protection principle (“DPP”) under the PDPO, unless an exemption applies. There are six DPPs set out in the PDPO and these form the core data privacy obligations in Hong Kong.
What is personal data collection?
The collection of personal data might seem to suggest that it relates only to the process of gathering or acquiring personal data. Hong Kong law requires an additional step. The act of collection must also be performed in respect of an individual whom the person acquiring the personal data has identified or intends to identify. The intention of the person acquiring the personal data is also a relevant factor. This is the key principle in the Eastweek case.
The applications of this principle are interesting. A photographer may take a photograph of a crowd attending a musical concert. This is not the collection of personal data under Hong Kong law, provided the photographer has not taken the photograph to identify an individual (but rather to show a general crowd enjoying an event). This is the case even though specific individuals can be identified in the photograph. Similar applications of this principle can apply in respect of CCTV recordings, logs of persons entering car parks and records of meetings that do not specifically identify individual speakers or participants.
One of the obligations of a data user in Hong Kong is to provide certain information to a data subject on or before the collection of his personal data (described in more detail below). If personal data is not collected, then no obligation to provide this information arises.
What is the jurisdictional scope of the PDPO?
Several data privacy regimes now include some element of extra-territorial application. Not in Hong Kong. The territorial jurisdiction of the PDPO only extends to a data user who has operations controlled in, or from, Hong Kong. The correct test is to consider whether the data user controls all or any part of the data cycle (that is, the collection, holding, processing, and use) in, or from, Hong Kong.
This arose in a case in which a data subject requested Google LLC to delist links in search results accessible in Hong Kong to news articles referencing the data subject which he considered false. Google LLC declined the request. The data subject complained to the PCPD. The PCPD considered that there was no evidence of contravention of the PDPO because the local subsidiary of Google LLC did not exercise any control over the collection, holding, processing or use of personal data in or from Hong Kong regarding the web search services. Google search services were processed from data centres in Singapore and Taiwan. Neither Google LLC nor its Hong Kong subsidiary was a data user for the purposes of the PDPO. This was the case even though the search results were displayed in or available from the website of Google HK.
If a person does not have any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong, then the PDPO will not apply to this person.
What is use?
A data user is defined by reference to his control of the collection, holding, processing or use of personal data. Use is intended as a catch-all phrase in this definition. Some helpful clarification is given in the PDPO which states that use includes disclosure or transfer of personal data. This is critically important in the case of data transfers.
In Hong Kong, a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. Transfer is a form of use. So, the PCPD has made clear that personal data may only be transferred to a third party in a class of transferees that has been notified to the data subject on or before the original collection of his personal data, and the transfer can only be for the stated purposes that the original data user has notified to the data subject. Otherwise, the disclosure is a change of purpose for which the original data user must obtain the fresh express voluntary consent of the data subject.
How are data user obligations of collection and use fulfilled in Hong Kong?
Data user obligations are primarily defined by DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data).
Personal data must be collected in a lawful and fair way for a purpose directly related to the activities of the data user. The data collected must be adequate, but not excessive, for that purpose. Before collecting personal data, all practicable steps must be taken to ensure that the data subject is informed of:
- whether the supply of the data is voluntary or obligatory;
- the purposes for which the data are to be used; and
- the classes of persons to whom the data may be transferred.
Before first use of personal data, the data subject must also be informed of:
- his right to request access to, and to correct, the data; and
- the name or job title, and address, of the individual who is to handle any such request.
These obligations are usually fulfilled by the data user providing the data subject with a personal information collection statement (“PICS”) before collecting the data. The PDPO does not require notification of these particulars in writing. However, it is obviously good practice for the information to be provided in writing to data subjects.
The purposes set out in the PICS will define the purposes for which personal data may subsequently be transferred. The description of those purposes must be sufficiently precise that the data subject can understand the purposes with a reasonable degree of certainty.
The theoretical underpinning of this arrangement is that, by informing the data subject on or before the collection of his personal data, the delivery of his personal data forms an implied consent to the use of his personal data in accordance with the PICS. This is not always the case in all situations, which is why DPP1 requires that the personal data must be collected in a fair manner.
Once personal data has been collected, the personal data cannot be used for a new purpose unless the voluntary and express consent of the data subject has first been obtained. As explained above, data transfer is a form of data use. So, the data user must obtain the voluntary and express consent of the data subject before he can either transfer the personal data to a class of person that was not set out in the PICS, or transfer the personal data for use in respect of a purpose that was not set out in the PICS.
What are the ground rules for a data transfer in or from Hong Kong?
First, consider whether the data transfer is under the jurisdiction of the PDPO. If a person does not have any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong, then the PDPO does not apply.
Next, consider whether personal data is actually involved. Personal data is defined in Hong Kong to relate to identified persons, not identifiable persons. Consequently, personal data in Hong Kong may be a smaller pool than is the case in other jurisdictions. If data is not personal data, then obligations under the PDPO in respect of data transfer do not apply.
Then, consider whether personal data is being collected. The intention of the person acquiring the personal data is a relevant factor in this consideration. If personal data is not collected, then no obligation to provide a PICS arises, and issues in respect of data transfer may not arise.
Remember that if a person is a data user, then then this triggers his obligation to fulfil a range of statutory obligations under the PDPO, including complying with the six DPPs that form core data obligations under privacy law in Hong Kong. Remember also that data transfer is a form of data use.
Finally, consider the terms of the PICS provided to the data subject. This forms the parameters of what is possible in respect of a data transfer, without additionally requiring the prior express voluntary consent of the data subject.
These are important and technical questions. This preliminary assessment may require legal advice to help resolve or clarify areas of uncertainty. We at Tanner De Witt can help you.
If you would like to discuss any of the matters raised in this article, please contact:
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.