Personal data protection law in Mainland China and in the Hong Kong Special Administrative Region are two separate and, indeed, quite distinct systems – the former being more recent, fragmented, and based on general notions, the latter dating back to the 1990s, being more integrated in composition and analytical in style. Operators entering the markets of these jurisdictions are well advised to take into account their respective legal specificities.

Many of the activities involving collection and use of data are intrinsically cross-border ones. This poses similar issues (essentially, extra-territorial application issues) for both Hong Kong statutes and Mainland China statutes.

Other critical points differ in the two environments. On one hand, the analytical formulation and strict interpretation of certain Hong Kong requirements may represent a challenge for certain market operators. On the other hand, the lack of a precise definition for certain concepts used in Mainland legislation carries with itself a degree of variability in application, and requires market operators to pay constant attention to compliance.

The fundamental Hong Kong enactment regarding personal data protection is the Personal Data (Privacy) Ordinance (Cap 486) ("PDPO"), first passed in 1995, when Hong Kong was still a dependent territory of the United Kingdom, and modelled after the Privacy Guidelines issued by OECD in 1980.

The obligations set out in the PDPO mainly concern "data users", i.e., persons who, either alone or jointly with other persons, control the collection, holding, processing or use of the personal data. "Personal data" means any data, relating to a living individual, from which it is practicable to ascertain the identity of the individual, and in a form in which it is possible to access or process the data.

If a data user controls data processing in or from Hong Kong, then generally the PDPO will apply, regardless of the place where the processing actually takes place and of the citizenship or residence of the data subject. Therefore, the PDPO, despite not expressly providing for extra-territorial application, in fact lends itself to be applied also to parties carrying out activities outside Hong Kong.

From the point of view of normative content, the focus of the PDPO is given by its six Data Protection Principles ("DPP"), regarding: (i) the purpose and methods of data collection; (ii) the accuracy of data and the duration of retention; (iii) the methods of use of the data; (iv) the safety of retained data; (v) the transparency of a data user's practices; and (vi) the right to access and correction of data.

A 2012 amendment introduced specific, stricter requirements for the use of data for direct marketing purposes. "Direct marketing" includes the offering, or advertising of the availability, of goods or services, or the solicitation of donations or contributions, made by sending information or goods addressed to specific persons by name, or by making telephone calls to specific persons.

Under DPP 1(3), a data user, when collecting personal data directly from a data subject, must take all reasonably practicable steps to ensure that the data subject is informed: (i) of whether or not it is mandatory to provide personal data (and, where relevant, the consequences if the individual does not provide data); (ii) of the purposes for which the data will be used and the classes of persons to whom the data may be transferred; and (iii) of the right to request access to and correction of data. A data user intending to use data for direct marketing purposes needs to obtain the data subject's consent.

In practice, data users usually fulfill these obligations by presenting to the data subject a Personal Information Collection Statement. Where necessary, this document is to be signed to express consent to the use of data for direct marketing purposes.

On the other hand, DPP 5 requires data users to take all reasonably practicable steps to ensure that any person can ascertain its personal data practices. In this regard, data users will usually make available to the public, on paper at their premises or in electronic form on a website, a Privacy Policy Statement. It also happens to see documents that serve as both Personal Information Collection Statement and Privacy Policy Statement at the same time.

The Mainland China approach to personal data protection is rather different from the Hong Kong one. Here, there is no single enactment aiming to contain all the discipline regarding personal data, and only that discipline.

First of all, the Law on the Protection of Consumers' Rights and Interests contains some provisions relating to the topic (inserted by the 2013 amendment). However, this piece of legislation, as the name suggests, only regards the protection of consumers' personal data.

The Cybersecurity Law, passed in 2016, inserts some provisions regarding the protection of personal data (mostly contained in Chapter IV) into a framework generally aimed at enhancing the safety of "networks". The requirements of this law mainly target "providers of network products or services", "network operators", and "operators of critical information infrastructures".

Article 253(A) of the PRC Criminal Law punishes the "crime of infringing citizens' personal information".

Laws issued by the National People's Congress are complemented by a number of industry-specific regulations and official standards ("GB" standards), which define more specifically the notions used by laws (often quite inexplicit) and suggest best practices. Most of these standards are per se not binding, but may become binding on the parties if referred to in a contract, or take on a strong persuasive value if often quoted in the decisions of enforcement authorities.

The new PRC Civil Code, coming into force on 1 January 2021, devotes the entire Chapter VI of Part IV to the Right to Privacy and Protection of Personal Information. It will thus provide for the first time an essentially all-encompassing discipline of the topic at issue, with requirements applying to anyone handling personal data.

In the future, a Data Protection Law might also join the sources described above. A draft of the Data Protection Law has been made public in July, 2020. At first glance, the scope of application of this document seems vague and wide; the definition of "data activities" it uses lends itself to embrace, inter alia, the collection and processing of personal data.

Focusing now on the Cybersecurity Law, this enactment applies to the construction, operation, maintenance, and use of networks within the People's Republic of China. Although the Law does not provide for its extra-territorial application, the ubiquity of the Internet and the vagueness of many concepts used by the Law actually leave room for its application to parties located outside the Chinese territory.

The Cybersecurity Law defines "personal data" as any kind of information, recorded in electronic or any other form, that alone or in combination with other information can make recognised the identity of a natural person, including but not limited to name, date of birth, identity document number, personal biometric information, address and telephone number of a natural person.

The Law requires "network operators" to: (i) keep user data confidential and take steps to protect them; (ii) collect and use personal data respecting a necessity criterion; (iii) make known the purposes, methods, and scope of data collection and use; (iv) obtain the consent of persons whose personal data are to be collected; (v) adopt appropriate countermeasures and report to the authorities in the event of data leakage. Data subjects have a right to request cancellation and correction of their data.

Besides that, "network product or service providers" must inform users and obtain their consent if the products or services collect their data. "Operators of critical information infrastructures" must generally store personal data and "important data" collected and generated during their activities within the Chinese territory. Transmission abroad, if necessary, requires a security assessment, to be carried out pursuant to provisions still largely awaiting a definitive formulation.

In practice, when required by statute to inform data subjects on the collection and use of personal data, operators will generally make available (first of all on their websites) ad hoc statements on the topic.

The Cybersecurity Law shows a fondness for general concepts, that the authorities can fill in with content using standards, published decisions, lists of guiding cases, and so on. This allows for greater leeway in day-by-day enforcement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.