Thought leadership from our experts

Online personal data protection across China, Hong Kong and Singapore

In recent years, usage of e-commerce has surged across Asia. Driven by the sturdy growth of China, Asia is currently the largest region by sales revenue of internet retailing. With the introduction of digital wallet services and mobile payment, it is expected that usage of such payment platform will widen its scope to more business sectors. Given the present quantum of cross border digital transactions, the trend of outsourcing and entrusting personal data processing work by data users to their agents becomes increasingly common.

As such, there is a stronger need for an up-to-date online privacy protection in Asia. Recently, China has introduced new privacy laws, amendments and proposed bills to cope with the rapid changes in the digital area. In particular, it has also dealt with the transfer of personal data across the border.

This Article provides an overview of the present frameworks and the recent developments in the online privacy protection in Hong Kong, China and Singapore from our insight for the drafting of online privacy policy for businesses.

Hong Kong

In Hong Kong, the Privacy Commissioner for Personal Data oversees personal data protection. Protection of personal data is governed by the six major principles under the Personal Data (Privacy) Ordinance (the "Ordinance"), including:

  1. personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user;
  2. practicable steps shall be taken to ensure personal data is accurate and not kept longer than is necessary to fulfil the purpose for which it is used;
  3. personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.;
  4. a data user needs to take practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use;
  5. a data user must take practicable steps to make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used; and
  6. a data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.

Despite the Ordinance not expressly providing whether it binds online platforms, data user is defined as a person who controls the collection, holding, processing or use of the data. This includes Hong Kong data users and therefore, the Ordinance also applies to online platforms.

The law prohibiting the transfer of personal data to places outside Hong Kong is not yet in operation, however, Privacy Commissioner for Personal Data has issued guidelines on prohibiting the transfer of personal data to places outside of Hong Kong, unless:

  1. the place to which the data are transferred has in force "any law which is substantially similar to, or serves the same purposes as, this Ordinance";
  2. the data subject has consented in writing to the transfer;
  3. the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the data subject's consent, but if practicable, such consent would be given; and
  4. the data user has taken "all reasonable precautions and exercised all due diligence to ensure" that the data will not be dealt with in a manner that would constitute a contravention of the Ordinance.

Until now, although there is still no specific timetable for the implementation of the law on the prohibition of transfer of the personal data across the border, the key note address at the 7th European Data Protection Days indicated that the Privacy Commissioner believes it is time for Hong Kong to update its laws so as to act in line with worldwide regulations.

Mainland China

Taking effect on 1 June 2017, the Cybersecurity Law of the People's Republic of China1 (the "Cybersecurity Law") plays a critical part in setting out the online privacy protection regulations in the digital playing field.

The introduction of the new Cybersecurity Law together with the proposed Measures on the Security Assessment of Cross-border Transfer of Personal Information and Important Data2 (the "Proposed Measures") (not yet in operation) bring significant changes to all online businesses, particularly for those overseas giants that maintain a large database of personal data as part of their businesses, for example, businesses with loyalty membership schemes, social platforms and possession of big data.

Under the Cybersecurity Law, data users are:

  1. required to maintain the confidentiality of personal information which they obtain from internet users and are prohibited to collect private data which is not related to their service, or to reveal, tamper or impair the personal information they collect;
  2. prohibited from stealing or illegally obtaining, or illegally selling or offering others any personal data; and
  3. imposed strict responsibility to provide "support and assistance" with law enforcement in respect of internet management and crime investigation.

Apart from imposing higher safety standards on internet service providers, the Cybersecurity Law also sets up a government supervision and management system. In the event of a security accident, the competent authorities must initiate a contingency plan immediately, require the internet service providers to take corresponding remedial measures and release alert notifications to the social public.

The Proposed Measures are still in consultation, however moves have been taken by some tech giants like Apple, Amazon, Microsoft and IBM, which have formed partnerships with local Chinese companies to set up cloud networking services and data centres in order to comply with the Proposed Measures.

The Proposed Measures prohibit the transfer of personal data across the border if:

  1. the transfer is not subject to the individual's consent or against the individual's interest; or
  2. the transfer will give rise to risk on the nation's politics, economy, science and technology and defence, and may affect adversely the national security and/or is against the public interest; or
  3. the transfer is prohibited by the Chinese Government.

Further, the Proposed Measures has set out three circumstances in which a security assessment by a competent regulatory authority is required; namely,

  1. the data contains personal information of over 500,000 individuals; and
  2. it contains data of critical information infrastructure such as cybersecurity information; and
  3. other information that is likely to affect national security or social and public interests.

It is expected that data users, including those that control and process critical information infrastructure, will be expected to conduct the assessment depending on the type, volume and sensitivity of the data. All transfers must meet the purpose of being "lawful and legitimate". Obtaining consent from the data subject will definitely be a mandatory action in these data transfer events.


In Singapore, the Personal Data Protection Commission ("PDPC") was established on 2 January 2013 to administer and enforce the Personal Data Protection Act 2012 (the "Act"), the primary law governing the collection, use, and disclosure of personal data. The Act is drafted in technologically neutral terms, and thus covers personal data stored in electronic and non-electronic forms.

The Act takes into account the following concepts:

1) Data user may collect, use or disclose personal data only with the individual's knowledge and consent (with some exceptions);

2) Data user may collect, use or disclose personal data in an appropriate manner for the circumstances, and only if they have informed the individual of purposes for the collection, use or disclosure; and

3) Data user may collect, use or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

In view of the rapid technological changes sweeping the globe, the PDPC recently issued a public consultation paper to gather public opinion on whether there should be other bases for collecting, using, and disclosing personal data where consent is not feasible or desirable, such as where voluminous amounts of personal data are collected within a short period of time for data analytics or machine learning.

Section 26(1) of the Act provides that the data user may not transfer any personal data to a country or territory outside Singapore, except in accordance with requirements prescribed under the Act, to ensure that the recipient data user is bound by legally enforceable obligations to provide a standard of protection that is comparable to that under the Act. In other words, if the recipient data user is not already bound by comparable data privacy laws in their jurisdiction, the transferring data user needs to impose similar obligations under the Act by contract, and/ or other binding instruments to avoid liability under the Act.

So, what's the take Away?

There is no literal template law for Asian countries to follow, unlike the European Union's General Data Protection Regulation. Each of the laws in Hong Kong, China and Singapore differs from each other in their form, substances and interpretation. However, there are still common recommendations for the data users to follow:

  1. Obtaining individual's consent is important before the transfers effect; and
  2. Contracting between the data user transferring the personal data and the recipient represents the principal mechanism whereby transfers of personal data may fulfil the requirement under the laws in Hong Kong, China and Singapore for the protection of personal data.