The EU General Data Protection Regulation (GDPR), adopted in 2016, came into force on 25 May 2018. The GDPR involves new provisions and enhanced rights. In the wake of technological developments and globalisation and the constitutionalisation of the fundamental right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance.
Why is the GDPR relevant to Hong Kong organisations/ businesses?
In Hong Kong, the Personal Data (Privacy) Ordinance, Laws of Hong Kong (Cap 486) (PDPO) protects the privacy of individuals in relation to personal data. When the PDPO was drafted, reference was made to the relevant requirements under the OECD Privacy Guidelines 1980 and the EU Directive. In consequence, the PDPO and the GDPR share a number of common features. Given that the GDPR constitutes significant developments, if not changes, of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that are not found under the PDPO.
One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is all the more important for businesses in Hong Kong to ascertain if the GDPR is applicable to them, and to keep up with the new developments.
Fast Facts on the EU GDPR and Hong Kong PDPO (Major Differences)
EU: Data processors or controllers:
- with an establishment in the EU, or
- established outside the EU, that offer goods or services to, or monitor the behaviour of individuals in the EU [Art 3]
HK: Data users (controllers / processors) who, either alone or jointly or in common with other persons, control the collection, holding, processing or use of the personal data in or from Hong Kong. [s.2(1)]
EU: “Personal data” means:
- any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly.
- examples of personal data explicitly identified being extended to include location data and online identifier. [Art 4(1)]
HK: “Personal data” means any data –
(a) relating directly or indirectly to a living individual;
(b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and
(c) in a form in which access to or processing of the data is practicable. [s.2(1)]
Accountability and Governance
EU: Risk-based approach; data controllers are required to:
- implement technical and organisational measures to ensure compliance [Art 24];
- adopt data protection by design and by default [Art 25];
- conduct data protection impact assessment for high-risk processing [Art 35]; and
- (for certain types of organisations) designate Data Protection Officers. [Art 37]
- The accountability principle and the related privacy management measures are not explicitly stated.
- The Privacy Commissioner advocates the adoption of a privacy management programme which manifests the accountability principle. The appointment of data protection officers and the conduct of privacy impact assessment are recommended good practices for achieving accountability.
Sensitive Personal Data
- Category of sensitive personal data expanded.
- Processing of sensitive personal data is allowed only under specific circumstances. [Art 9]
- No distinction between sensitive and non-sensitive personal data for all purposes.
EU:Consent must be
- freely given, specific and informed;
- an unambiguous indication of a data subject's wishes, by statement or by clear affirmative action, which signifies agreement [Art 4(1)]; and
- given by a child below 16 (or 13) with parental authorisation.
- Consent is not a pre-requisite for the collection of personal data, unless the personal data is used for a new purpose. [DPP1&3] For other purposes, where consent is also required, consent means express and voluntary consent.
- No requirement for parental consent.
- Data controllers are required to notify the authority of a data breach without undue delay (exceptions apply).
- Data controllers are required to notify affected data subjects if it is likely to result in high risk to the rights and interests of the data subjects, unless exempted. [Arts 33-34]
- No mandatory requirement, but notification to the Privacy Commissioner (and data subjects, where appropriate) is recommended in the interest of all stakeholders including data users/controllers and subjects.
- Data processors are additionally obliged to maintain records of processing, ensure security of processing, report data breaches, designate Data Protection Officers, etc. [Arts 30, 32-33, 37]
- Data processors are not directly regulated. [s.2(12)]
- Data users are required to adopt contractual or other means to ensure data processors' compliance. [DPP2(3) & DPP4(2)]
New and Enhanced Rights for Data Subjects
- Right to notice on data processing. [Art 13-14]
- Right to erasure of personal data ("right to be forgotten"). [Art 17]
- Right to restriction of processing and data portability. [Art 18, 20]
- Right to object to processing (including profiling). [Art 21]
- Less extensive notice requirements for data users / controllers (processors).
- No right to erasure, but data shall not be retained longer than necessary. [s.26 & DPP 2(2)]
- No right to restriction of processing and data portability, but data access and correction requests be complied with. [DPP6, Part 5]
- No right to object to processing (including profiling), but may opt out from direct marketing activities [ss.35G &35L] and PDPO contains provisions regulating data matching procedure. [ss.30-31]
Certification, Seals, and Codes of Conduct
- Mechanisms are explicitly recognised and established for demonstrating compliance by data controllers and processors. [Art 42]
- No formal recognition of certification or privacy seals mechanisms for demonstrating compliance. The Privacy Commissioner may approve and issue code of practice after consultation. [s.12]
Cross- jurisdiction Data Transfer
- Certification and adherence to approved codes of conduct are explicitly made one of the legal bases for transfer. [Art 46]
- Certification and adherence to an approved code of practice are not explicitly made a legal basis.
- Data protection authorities are empowered to impose administrative fines on data controllers and processors. [Art 58]
- Depending on the nature of the breach, the fine could be up to €20 million or 4% of the total worldwide annual turnover. [Art 83]
- The Privacy Commissioner is not empowered to impose administrative fines or penalties.
- The Privacy Commissioner may serve Enforcement Notices on data users, failure to comply with which may attract penalties after judicial process. [s.50]
PCPD’s publications and activities on the GDPR
To raise the awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR and to assist them in understanding the major disparities in view of the extra-territorial application of the GDPR, as well as comparing some of the major requirements with those set out in the PDPO, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) has published the “European Union General Data Protection Regulation (GDPR) 2016” booklet which is now available for download on PCPD website: