Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI) – as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific” – are publishing the third in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).
This report provides a detailed overview of relevant laws and regulations in Hong Kong, a Special Administrative Region (SAR) of the People’s Republic of China, which has its own data protection law, the Personal Data (Privacy) Ordinance (PDPO). The report covers:
notice and consent requirements for processing personal data in Hong Kong’s data protection law;the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); andstatutory bases for processing personal data without consent and exceptions or derogations from consent requirements in relevant laws and regulations.
The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.
Hong Kong’s Data Protection Landscape
The PDPO – which was passed in 1995 and took effect (except for certain provisions) in 1996 – is one of the most long-standing data protection laws in both APAC and globally.
The purpose of the PDPO is to protect the privacy of individuals