Part 5 Of 6: Amendments To Hong Kong Data Protection Law To Widen The Definition Of "Personal Data"
Published date | 26 July 2021 |
Subject Matter | Privacy, Data Protection, Privacy Protection |
Law Firm | Bryan Cave Leighton Paisner LLP |
Author | Mr Glenn Haley and Sharon Chan |
Summary
Hong Kong proposes to widen the current definition of 'personal data' to cover not just 'identified' persons but also 'identifiable' persons. The amendment is expected to cover the use of online tracking technologies such as internet cookies to the extent that they make it reasonably possible for persons to be identified.
This post is the fifth in the series of six articles in which we discuss the proposed amendments to the data protection regime in Hong Kong.
This post deals with that part of the proposed amendments to the Personal Data (Privacy) Ordinance ('PDPO') that are aimed at widening the definition of 'personal data'.
See links below for our previous articles on the proposed amendments:
- Part 1 of 6: our first article set out an overview of the six proposed amendments and included a discussion of the proposed introduction of a mandatory data breach notification mechanism.
- Part 2 of 6: our second article on the requirement for the formulation of a clear data retention policy.
- Part 3 of 6: our third article on the imposition of administrative penalties.
- Part 4 of 6: our fourth article on the regulation of data processors.
Introduction
There is no uncontested and thoroughly coherent definition for 'personal data'. Jurisdictions around the world each adopt a definition which is thought to be most appropriate for their needs. Hong Kong takes the view that it is important to adopt an appropriate definition of 'personal data' which accords with the contemporary technologies in data analytics and data collection, so as to ensure that the data privacy law provides enough coverage to protect personal data.
In light of the increasing popularity in the use of tracking technology and data analytics, Hong Kong has proposed to widen the current definition of 'personal data' under the Personal Data (Privacy) Ordinance ('PDPO') to satisfy public expectation towards the protection of personal data.
The current definition and its deficiencies
Under the current PDPO, 'personal data' means any information (a) relating to a living individual; (b) from which it is practicable for the identity of that individual to be ascertained; and (c) which comes in a form in which access to or processing of the information is practicable.
To put it simply, the PDPO currently covers personal data which relates to an actual living person whose identity can be ascertained, i.e. an 'identified' person.
The existing definition of personal data does not cover situations where the...
To continue reading
Request your trial