Apr 162018

Hong Kong Issues EU Data Privacy Law Guidance on the upcoming GDPR

William RM Long, Yuet Ming Tham and Eleanor Dodding
, , , , ,

The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements.

The guidance examines the GDPR’s extra-territorial effect on Hong Kong companies that (i) have establishments in the EU, where personal data is processed in accordance with the services provided by the establishment, regardless of whether the data is actually processed in the EU; or (ii) that offer goods and services in the EU, despite not having an EU establishment or (iii) that monitor the behavior of individuals in the EU.

The guidance, through a helpful step-by-step comparison, highlights that Hong Kong companies will be subject to greater data protection obligations under the GDPR then is currently the case under Hong Kong’s Personal Data (Privacy) Ordinance (“PDPO”). Of particular importance, is the compliance guidance examination of the accountability principle in the form of a data protection officer (“DPO”) and ongoing data privacy management tools under the GDPR which are not explicitly provided for under the PDPO but will become a mandatory requirement under the GDPR.

The GDPR further extends its extra-territorial scope by requiring as express requirements for Hong Kong companies processing EU data subjects’ personal data:

  • records of all processing activities;
  • restrictions on the processing of a certain category of personal data, sensitive personal data, where there was previously no distinction between sensitive and non-sensitive personal data under the PDPO;
  • providing for consent as one of the lawful grounds for processing personal data, where there was no such ground previously under the PDPO;
  • making data breach notifications mandatory, rather than voluntary as under the PDPO;
  • regulating companies acting as data processers under the GDPR, as opposed to previously being unregulated under the PDPO; and
  • introducing a right of data subjects to restrict processing of their personal data, where there had been no such right previously under the PDPO.

You can view the guidance booklet in full (including the useful comparison table highlighting the major differences between EU GDPR and HK PDPO) here.

William RM Long

London

wlong@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.