If Hong Kong’s goal is to become an international data centre, then it must have a good relationship with the Chinese mainland’s big-data industry. However, the free flow of personal information between the two territories will need to be carefully managed if this is to happen.
The problem is that the current legal regime does not provide sufficient protections for such an arrangement. Currently, the only statutory restriction on personal data transfers between Hong Kong and the mainland is that they must be done in accordance with the PDPO. The PDPO is one of the world’s strongest privacy laws, but it has not been amended since its introduction in 2012 (a series of reforms in that year related primarily to direct marketing). This means that the PDPO has significant gaps and deficiencies when it comes to cross-border data flows.
This is not a criticism of the PDPO – it is a serious concern about where our law is heading and how far behind the rest of the world we are in terms of data protection. In our view, the PDPO should be substantially revised to bring it in line with global best practice. This will involve addressing a number of issues, including the definition of ‘data user’; the requirement for a PICS; and the broader obligations of a data user under the six core privacy principles.
A significant change could also be made to the procedures and penalties for data breaches. In particular, the definition of a breach should be expanded to include any unauthorised disclosure of data to any third party. In addition, the penalties should be increased and the time limit for reporting breaches reduced. This would make it more practical to bring data breaches to the attention of the police.
An alternative approach would be to adopt a set of standard contracts for the transfer of personal data between Hong Kong and the mainland. This is an idea that has been advocated by some of the leading privacy scholars in Hong Kong, and it is one that we support. The draft standard contracts are available for public comment, and the government should give them serious consideration as a way to strengthen the relationship between Hong Kong and the mainland while enhancing our legal protections for personal data transfers.
Finally, the government should make clear that it will not allow personal data to leave Hong Kong without being subject to strong data protection safeguards. This can be achieved through the use of technical and contractual measures. These might include encryption, anonymisation or pseudonymisation, split or multi-party processing, and requirements for audit, inspection, reporting and beach notification.