Data hk is an online platform enabling research on Hong Kong using open government and other public data. It offers access to over one million open datasets from international, national, regional and local resources.
The platform is a collaboration between the government and a team of tech volunteers. It is free to use.
Data hk aims to facilitate data collection and analysis for academic, business and public interests. The website consists of two components: a data repository and an interactive analytics tool. It provides access to data that relates to Hong Kong, including census information, official statistics, financial and economic indicators, socio-economic data and maps of Hong Kong. The data is sourced from public, commercial and private sources and is available for download in Excel, CSV, PDF, JSON, and RDF formats.
A recent incident involving the doxing of the personal data of 7,249 Hongkong Post registered email accounts highlights the dual role of data in contentious politics: both as a weapon and an object of contention. While this duality is not unique to Hong Kong, the 2019 anti-establishment movement and the rapid transformation of data laws in mainland China under the ‘one country, two systems’ principle have exacerbated the tensions surrounding these uses of data.
As such, understanding how to navigate the rules and regulations governing these uses is essential for businesses. Padraig Walsh from the Tanner De Witt Data Privacy practice group guides us through some key points to note for cross-border data transfers, whether between locations within Hong Kong or between Hong Kong and other locations under the ‘one country, two systems’ rule.
The first issue to consider is whether the data transfer is covered by the PDPO. The PDPO applies to a “data user” – that is, to a person who has operations controlling the collection, holding, processing or use of personal data – who carries out such activities in, or from, Hong Kong. The PDPO’s territorial scope is therefore significantly narrower than that of many other data privacy regimes, such as the Personal Information Protection Law that applies in mainland China and the GDPR that applies in the European Economic Area.
It is also important to consider the definition of “personal data” in the PDPO. This definition is similar to other regulatory regimes and means information relating to an identifiable natural person. This includes name; identification number; location data; online identifiers; factors specific to the physical, physiological, genetic, mental, economic or cultural identity of that person; and other related personal data. It should be noted that the PDPO explicitly states that the term “use” includes both disclosure and transfer – a crucial clarification in relation to data transfers.
The PDPO requires the original data user to expressly inform a data subject on or before collecting their personal data of the purposes for which the information will be used and the classes of persons to whom the information may be transferred. However, it has been mooted that the PCPD might amend the PDPO to make this more explicit, in line with other data privacy regulations.