The EU General Data Protection Regulation (GDPR), adopted in 2016, came into force on 25 May 2018, replacing the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Directive). The GDPR involves new provisions and enhanced rights. In the wake of technological developments and globalisation and the constitutionalisation of the fundamental right to data protection in the EU, the GDPR aims to harmonise the framework for the digital single market, put individuals in control of their data and formulate a modern data protection governance.
Why is the GDPR relevant to Hong Kong organisations/ businesses?
In Hong Kong, the Personal Data (Privacy) Ordinance, Cap 486 of the Laws of Hong Kong (PDPO) protects the privacy of individuals in relation to personal data. When the PDPO was drafted, reference was made to the relevant requirements under the OECD Privacy Guidelines 1980 and the EU Directive. Given that the GDPR constitutes significant developments of data protection law from the EU Directive, the new regulatory framework includes a number of requirements that are not found under the PDPO.
One of the key developments introduced under the GDPR to the data protection landscape outside the EU is the explicit requirement of compliance by organisations established in non-EU jurisdictions in specified circumstances. Given the diversified business or transaction models (e.g. online transactions), it is all the more important for businesses in Hong Kong to ascertain if the GDPR is applicable to them, and to keep up with the new developments.
The European Commission adopted a new set of Standard Contractual Clauses (which came into effect on 27 June 2021) for the transfer of personal data to non-EU regions (“New SCCs”). From 27 September 2021 onwards, data exporters and data importers can only conclude contracts incorporating the New SCCs for the transfer of personal data out of the European Union. The PCPD publishes, for public reference, a set of frequently asked questions and answers on the implementation framework of the New SCCs and the obligations of parties entering into cross-border data transfer agreements using the New SCCs.
For more information, please refer to the set of frequently asked questions and answers:
Please click here to read the "Introduction to the European Commission’s New Standard Contractual Clauses for International Data Transfers".
Please click here to download the presentation files and watch the video of the Webinar on “the New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Non-EU Regions” organised by the PCPD
To raise the awareness amongst organisations / businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR, the PCPD has issued the following publication:
An Update on European Union General Data Protection Regulation 2016
(May 2020 Revised Edition)
European Data Protection Board
|Codes of conduct||Guidelines 04/2021 on codes of conduct as tools for transfers|
|Consent||Guidelines 05/2020 on consent|
|Controller and processor||Guidelines 07/2020 on the concepts of controller and processor in the GDPR|
|Data breach notification|
|Data portability||Guidelines on right to data portability|
|Data protection by design and by default||Guidelines 4/2019 on Article 25 data protection by design and by default|
|Data protection impact assessments||Guidelines on data protection impact assessments|
|Derogations||Guidelines 2/2018 on derogations of Article 49 under the GDPR|
|Processing of personal data in providing online services||Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects|
|Processing of personal data through video devices||Guidelines 3/2019 on processing of personal data through video devices|
|Restrictions||Guidelines 10/2020 on restrictions (on the scope of rights of data subject and obligations of controllers/processors) under Article 23 of the GDPR|
|Targeting of social media users||Guidelines 8/2020 on the targeting of social media users|
|Territorial scope||Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)|
|Transfer tools||Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data|
|Transparency||Guidelines on transparency|
|Subject Matter||Reference Materials|
|Data protection regime||Overview of the data protection regime in the EU|
|GDPR requirements||Introduction to the requirements of the GDPR|
A. Highlight of Important Decisions under the GDPR
|Date of Decision||Data Protection Authority||Penalty Imposed and Violations|
|15 March 2022||The Data Protection Commission of Ireland||
The Data Protection Commission of Ireland fined Meta Platforms (formerly Facebook) 17 million Euro for infringements of Article 5(2) of the GDPR (in relation to the purpose limitation principle). For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|10 February 2022||The Italian Data Protection Authority (GPDP)||
The Italian Data Protection Authority (GPDP) fined Clearview AI Inc. 20 million Euro for processing personal data unlawfully without an appropriate legal basis and infringements in relation to transparency, purpose limitation and storage limitation, etc. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|27 January 2022||The Hellenic Data Protection Authority of Greece||
The Hellenic Data Protection Authority of Greece fined telecommunications companies Cosmote and OTE 9.25 million Euro in total for violations of the principles of legality and transparency, putting in place inadequate security measures, etc., following a personal data breach notification received. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|14 January 2022||The Dutch Data Protection Authority||
The Dutch Data Protection Authority fined DPG Media Magazines 525,000 Euro for unnecessarily requesting copies of identity documents. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|22 December 2021||The Austrian Data Protection Authority (DSB)||The Austrian Data Protection Authority (DSB) ruled that the use of Google Analytics tool by an Austrian website operator in its website violated Article 44 of the GDPR in transferring personal data to Google LLC in the United States. In particular, DSB held that the standard contractual clauses which the website operator concluded with Google LLC did not offer an adequate level of protection to the personal data concerned. For details of the decision, please refer to the summary of decision issued by the DSB entitled “Information from the data protection authority on the decision on the use of Google Analytics”.|
|16 December 2021||The Italian Data Protection Authority (GPDP)||
The Italian Data Protection Authority (GPDP) fined Enel Energia 26.5 million Euro for aggressive telemarketing and improper handling of cases where data subjects requested for access to their personal data or raised objection against processing of their personal data for marketing purposes. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|20 August 2021||The Data Protection Commission of Ireland||
The Data Protection Commission of Ireland issued its final decision of imposing a fine of 225 million Euro upon WhatsApp Ireland Ltd., along with a reprimand and an order for WhatsApp Ireland Ltd. to bring its processing into compliance by taking a range of specified remedial actions in respect of infringements of, inter alia, the principle of transparency in providing information to users across Europe about its service. The final decision was issued after the adoption of a binding decision by the European Data Protection Board under Article 65 of the GDPR (a dispute resolution process triggered as a result of the opposing views among the supervisory authorities concerned). For details of the decision, please refer to the decision of the Data Protection Commission of Ireland and its press release dated 2 September 2021.
Remarks: The decision of the Data Protection Commission of Ireland against WhatsApp Ireland Ltd. is being appealed.
|21 June 2021||The Swedish Authority for Privacy Protection (IMY)||
The Swedish Authority for Privacy Protection (IMY) fined SL, which operates public transport in Stockholm, SEK 16 million for unlawful use of body cameras in the public transport. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
|29 April 2021||The Dutch Data Protection Authority||
The Dutch Data Protection Authority fined municipality 0.6 million Euro for using Wi-Fi tracking which was possible to track shoppers and people who live or work in the city centre. For details of the decision, please refer to the summary of decision issued by the European Data Protection Board.
B.Major Developments under the GDPR
|25 March 2022||
The new Trans-Atlantic Data Privacy Framework between the EU and the United States (“US”)
On 16 July 2020, the Court of Justice of the European Union struck down the framework of the EU-US Privacy Shield in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and intervening parties (commonly known as “Schrems II Judgment”). Since 2016, the EU-US Privacy Shield had been implemented as a major mechanism for effecting transfers of personal data from EU companies to US companies.
Following continuous discussions between the European Commission and the US, the parties announced on 25 March 2022 that an agreement had been reached in principle on a new Trans-Atlantic Data Privacy Framework (“New Framework”), with a view to re-establishing a legal mechanism for the transfer of personal data from the EU to the US.
In particular, the New Framework ensures that (i) signals intelligence activities undertaken by the US should be necessary and proportionate in advancing legitimate national security objectives; (ii) a new redress mechanism with independent and binding authority will be established to direct remedial measures for affected EU individuals; and (iii) US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.
As the next step forward, the European Commission and the US will continue to work on the legal documents required to be adopted by both sides for putting the New Framework into practice.
For further details of the New Framework, please refer to (1) the European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework and (2) the Press Statement issued by the White House of the US, both dated 25 March 2022.
|21 March 2022||
New Transfer Instruments for Transferring Personal Data from the United Kingdom
The GDPR is retained in the domestic law in the United Kingdom (“the UK”) as the “UK GDPR”. Article 46(1) of the UK GDPR allows international transfers of personal data, inter alia, where the data exporter has provided appropriate safeguards (including through standard data protection clauses issued by the Information Commissioner, etc.).
On 21 March 2022, two new transfer instruments, namely (i) the International Data Transfer Agreement (“IDTA”) and (ii) the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers adopted in June 2021 (“Addendum”) issued by the Information Commissioner came into force. In particular, the new instruments are intended to replace the existing Standard Contractual Clauses recognised in the UK, i.e. the Standard Contractual Clauses adopted in the EU in the pre-GDPR era (“the Old SCCs”).
The practical implications of the introduction of the IDTA and the Addendum for data transferors and data transferees are that:
For further details of the IDTA and the Addendum, please refer to the introduction provided by the Information Commissioner’s Office of the UK.
|17 December 2021||
The children’s privacy guidelines published by the Data Protection Commission of Ireland
On 17 December 2021, the Data Protection Commission of Ireland published its “Fundamentals For A Child-oriented Approach To Data Processing”, providing guidance and recommended best practices in respect of protecting children’s personal data privacy during processing activities. For details of the publication, please refer to the summary issued by the Data Protection Commission of Ireland.
|17 December 2021||
The adequacy decision for South Korea
On 17 December 2021, the European Commission adopted the decision that the Republic of Korea ensures an adequate level of protection for personal data transferred from the EU to entities in the Republic of Korea subject to the Personal Information Protection Act as contemplated by the additional safeguards stipulated therein, together with the relevant official representations, assurances and commitments.
For details of the adequacy decision for South Korea, please refer to the Joint Press Statement by Didier Reynders, Commissioner for Justice of the European Commission, and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea.
|28 June 2021||
The adequacy decision for the United Kingdom
On 28 June 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the GDPR and the other for the Law Enforcement Directive. Free flow of personal data from the EU to the United Kingdom is allowed where the United Kingdom ensures essentially an equivalent level of personal data protection to that guaranteed under the EU law.
For details of the adequacy decision for the United Kingdom, please refer to the press release issued by the European Commission.