The new EU Data Privacy Law and its Impact on Hong Kong

On 25 May 2018, the General Data Protection Regulation 2016 (GDPR) came into force in the EU. It is drafted as a Regulation and becomes immediately applicable in all EU member states.

The GDPR contains new provisions, prohibitions and regulations for the collection and processing of personal data. This significantly enhances data protection.

A. Impact on Hong Kong

The GDPR does have extraterritorial effect, meaning that businesses in Hong Kong can be subject to the new regulations. Since the GDPR sets out more strin­gent regulations than the Hong Kong Privacy Ordinance, Hong Kong businesses are advised to check whether they could be subject to the GDPR.

The GDPR applies to a Hong Kong business if such business has an establishment in the EU. An establishment does not only contain a subsidi­ary, affiliate or mother company, but also a representative selling goods or services to the public in the EU.

The GDPR is furthermore appli­cable to a Hong Kong business without such establishment if they sell goods or services to the public in the EU.

B. Regulations

Organisations/ businesses subject to the GDPR must:

  • Demonstrate their com­pliance with the princi­ples of pro­cessing of per­sonal data;
  • Implement appropriate tech­nical and organiza­tional measures to en­sure compli­ance; and
  • Integrate data protection into their processing ac­tivities.

More specifically, the GDPR re­quires:

  • The appointment of a Data Protection Officer;
  • Undertaking a Data Pro­tection Impact Assess­ment;
  • Undertaking Privacy by De­sign and by Default, and in­tegrate the neces­sary safe­guards;
  • Keep records of pro­cessing activities; and
  • Draft data processing or handling policies or prac­tices to demonstrate com­pliance.

Data defined by GDPR in­cludes race, religion, sexual orientation, health, etc. Its collection is prohibited unless certain conditions are fulfilled.

For other personal data, the GDPR requires explicit, free, informed and unambiguous consent by the data subject.

If a business breached its obliga­tions under the GDPR, it is re­quired to notify the EU supervisory authority within a certain time limit.

If a business wants to collect personal data, it needs to com­ply with the new and enhanced rights for individuals, including the right to notice on data protection, the right to erase personal data, the right to object the collection and controlling, and (new) the right to restrict the processing of the personal data.

C. What Hong Kong businesses should do

Given its wide application, it is advisable for a Hong Kong business to check whether it might be subject to the GDPR. If so, the responsible persons should make sure that their privacy statements, collection and processing process of personal data is up to date.

If the Hong Kong business has an affiliate in the EU, it is advis­able to adjust their processes to the EU level.

Jurisdictions: 

Associate Solicitor, Robinsons Lawyers (Hong Kong)

Solicitor, GPS McQuhae (Hong Kong)

Joshua Chu is Litigation Consultant at GPS McQuhae LLP in Hong Kong. He specialises in corporate, healthcare and technology law and has experience in cross-border and conflict of laws dilemmas. Joshua has also represented the successful Defendant in one of Hong Kong’s first cryptocurrency litigation.

Since embarking on his legal career, Joshua has developed a predominantly civil practice with a focus on general civil, commercial, company and technology. He has represented Clients in all levels of Court in a wide range of commercial and criminal litigation. 

Solicitor, GPS McQuhae (Hong Kong)

Anna Lau is Litigation Consultant at GPS McQuhae LLP in Hong Kong. A biomedical engineer by training, prior to her embarkation onto her legal career, Ms Lau had worked closely with the United States Patent and Trademark Office (USPTO) and US Food and Drug Administration (FDA) on intellectual property and FDA regulatory work.

Her unique skill set enables her to expertly deal with Technology/Intellectual Property law, being able to use an engineer’s perspective to understand each individual client’s need and advise them in their own (tech) language. Anna was part of the team that represented the successful Defendant in one of Hong Kong’s first cryptocurrency litigation.