is a popular topic for debate in Hong Kong, where a law was passed last year that requires companies to notify users when their personal information is handed over to the government. The law also makes it a criminal offence for businesses to obstruct a government request.
However, there are still some issues with the law that need to be addressed. First, it is important to understand the scope of the law. It only applies to data users who have operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong. This is different from many other jurisdictions, where the scope is defined more broadly to include any information that can be used to identify a person.
This can include data that is not personally identifiable, such as CCTV recordings of crowds at events, records of persons entering car parks and logs of meetings that do not identify individual speakers or participants. It is important to think carefully about this when deciding whether a data user has obligations under the PDPO in relation to data transfer.
Another issue is that the law does not clarify how “use” is to be interpreted. The PCPD has provided some guidance in this regard, noting that it refers to the purpose for which a person collects personal data and the classes of people to whom the data may be transferred. The use of data can therefore include a transfer to a third party in the course of conducting direct marketing activities, but not if the purpose for which the person collected the data was for any other purposes.
While it is encouraging that some companies are starting to comply with this law, others remain reluctant to do so. Google, for example, complied with only three of the 43 requests it received from the Hong Kong authorities for user data in the second half of last year, according to its transparency report, and it only did so when the requests were accompanied by search warrants signed by a magistrate and met its global policy on such requests. Facebook, meanwhile, rejected every single request it received from the Hong Kong authorities for user information in that period, including an emergency disclosure request that involved a threat to life. Twitter did not respond to any requests from the Hong Kong authorities in that time. These issues will need to be addressed before the law is fully implemented.