China’s new data privacy law will create fresh challenges for Hong Kong businesses: former privacy chief

Beijing’s new data privacy law will affect Hong Kong businesses and how they handle mainland consumer data, possibly requiring them to hire specialist agencies or compliance officers to manage personal data, Stephen Wong Kai-yi, the city’s former privacy commissioner, said on Tuesday.

China’s legislature last Friday passed the Personal Information Protection Law (PIPL), one of the strictest in the world for personal data security. It imposes significant legal restrictions on how personal data can be collected, used and managed, and will come into effect November 1.

In an interview with the South China Morning Post, Wong, Hong Kong’s privacy commissioner for personal data from 2015 to 2020, said that the new law brings challenges for the city’s businesses as it will impose new restrictions on data flows between the mainland and Hong Kong, with the special administration region considered a separate jurisdiction.

“I would say for enterprises operating in Hong Kong, especially those with business operations in mainland China, they should be aware that this new legislation imposes very stringent and sometimes arduous obligations and high standards on how enterprises process personal data,” Wong said.

The legislation, along with China’s new Data Security Law which determines what data can or cannot be sent overseas, is expected to put an end to a Wild West era for how companies collect and use consumer data in China, and forms part of a broader crackdown by Beijing on Big Tech in recent months.

The 67-year-old barrister said that retail and e-commerce businesses, which collect consumer data, may be most affected by PIPL. He added that the new legislation would force many companies, even those based outside mainland China but who do business there, to comply with Beijing’s high standard of personal data protection.