China’s new data privacy law will create fresh challenges for Hong Kong businesses: former privacy chief

Beijing’s new data privacy law will affect Hong Kong businesses and how they handle mainland consumer data, possibly requiring them to hire specialist agencies or compliance officers to manage personal data, Stephen Wong Kai-yi, the city’s former privacy commissioner, said on Tuesday.

China’s legislature last Friday passed the Personal Information Protection Law (PIPL), one of the strictest in the world for personal data security. It imposes significant legal restrictions on how personal data can be collected, used and managed, and will come into effect November 1.

In an interview with the South China Morning Post, Wong, Hong Kong’s privacy commissioner for personal data from 2015 to 2020, said that the new law brings challenges for the city’s businesses as it will impose new restrictions on data flows between the mainland and Hong Kong, with the special administration region considered a separate jurisdiction.

“I would say for enterprises operating in Hong Kong, especially those with business operations in mainland China, they should be aware that this new legislation imposes very stringent and sometimes arduous obligations and high standards on how enterprises process personal data,” Wong said.

The legislation, along with China’s new Data Security Law which determines what data can or cannot be sent overseas, is expected to put an end to a Wild West era for how companies collect and use consumer data in China, and forms part of a broader crackdown by Beijing on Big Tech in recent months.

The 67-year-old barrister said that retail and e-commerce businesses, which collect consumer data, may be most affected by PIPL. He added that the new legislation would force many companies, even those based outside mainland China but who do business there, to comply with Beijing’s high standard of personal data protection.

“Classing the mainlanders as customers and therefore handling or processing their personal data will be regulated by the law,” Wong said. “The law requires that even though they may not be based in mainland China – they may operate, for example, in Hong Kong – companies must set up a specialised agency or appoint a representative within the mainland of China for [data] compliance.”

Wong said that the law’s regulations on the transfer of data, which includes financial accounts, could also introduce new compliance hurdles for financial institutions

“Financial institutions, including banks, even from the Greater Bay Area, if they want to transfer financial accounts from the mainland ... to Hong Kong, they have to comply with the rules,” he said.

Wong said that PIPL, along with the Cybersecurity Law and Data Security Law, all form part of China’s new data protection legal framework, which is similar in scope to the General Data Protection Regulation implemented by the European Union in recent years.

“About two fifths of the world’s mobile data is in mainland China,” Wong said, “[Now we] have a similar protection framework to the rest of the world … albeit a bit late, but good things don’t always come early.”

Wong said that the strength and scope of the new law was impressive, moving beyond what the current Personal Data Privacy Ordinance in Hong Kong covers.

In Hong Kong, personal information refers to a piece of information that can “ascertain” the identity of a person, but Beijing’s new rule significantly lowers that threshold and defines personal information as information that can “identify” a person.

Wong noted that the law states for the first time that state authorities must be equally regulated. This provision, not included in the first draft but added in the final draft, shows Beijing’s determination to protect personal data from abuse by commercial entities and governmental agencies.