Apr 162018

Hong Kong Issues EU Data Privacy Law Guidance on the upcoming GDPR

William RM Long, Yuet Ming Tham and Eleanor Dodding
, , , , ,

The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements.

The guidance examines the GDPR’s extra-territorial effect on Hong Kong companies that (i) have establishments in the EU, where personal data is processed in accordance with the services provided by the establishment, regardless of whether the data is actually processed in the EU; or (ii) that offer goods and services in the EU, despite not having an EU establishment or (iii) that monitor the behavior of individuals in the EU.

The guidance, through a helpful step-by-step comparison, highlights that Hong Kong companies will be subject to greater data protection obligations under the GDPR then is currently the case under Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”). Of particular importance, is the compliance guidance examination of the accountability principle in the form of a data protection officer (“DPO”) and ongoing data privacy management tools under the GDPR which are not explicitly provided for under the PDPO but will become a mandatory requirement under the GDPR.

The GDPR further extends its extra-territorial scope by requiring as express requirements for Hong Kong companies processing EU data subjects’ personal data:

  • records of all processing activities;
  • restrictions on the processing of a certain category of personal data, sensitive personal data, where there was previously no distinction between sensitive and non-sensitive personal data under the PDPO;
  • providing for consent as one of the lawful grounds for processing personal data, where there was no such ground previously under the PDPO;
  • making data breach notifications mandatory, rather than voluntary as under the PDPO;
  • regulating companies acting as data processers under the GDPR, as opposed to previously being unregulated under the PDPO; and
  • introducing a right of data subjects to restrict processing of their personal data, where there had been no such right previously under the PDPO.

You can view the guidance booklet in full (including the useful comparison table highlighting the major differences between EU GDPR and HK PDPO) here.

William RM Long

London

wlong@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.