Data hk
A key consideration when considering transferring personal data outside of Hong Kong is whether or not it will be subject to regulation imposed on data transfers by the local data protection authority. In this article, Padraig Walsh, Partner and head of the Data Privacy practice at Tanner De Witt discusses the interpretation of Hong Kong law in respect of cross-border data transfers.
While a number of other jurisdictions have established regimes that provide for an adequacy or equivalent status for personal data transferred to those jurisdictions, Hong Kong has not done so. Instead, section 33 of the PDPO sets out certain requirements to be fulfilled by a data user when it transfers personal data out of Hong Kong.
In particular, it requires that the data user expressly informs a data subject on or before collecting their personal information of the purposes for which the data will be used and of the classes of persons to whom the data may be transferred. These obligations are a part of a data user’s duty to fulfil its obligation to collect personal information fairly and in accordance with the PDPO.
If these requirements are not met, the data transfer will be unlawful. However, a data exporter may be able to satisfy these requirements by conducting an adverse transfer impact assessment of the transferring personal information and taking supplementary measures (for example, adopting standard contractual clauses). In some limited cases, it might also be possible for a data exporter to proceed with the transferring of personal information without an adverse transfer impact assessment being carried out.
While the position in Hong Kong may seem out of step with international developments, it is not without some merit. Having a clear and consistent legal position on data transfer matters can make compliance much easier. It is important that businesses consider these issues carefully when reviewing their policies and drafting agreements. The PCPD has published some helpful guidance on the implementation of these obligations and recommended model clauses which should be considered. These clauses can be included in separate agreements, schedules to a main commercial agreement or as contractual provisions within the main commercial arrangement. Whichever way they are drafted, the key to success is that the clauses comply with the requirements set out in the PDPO. This will help to ensure that the data exported from Hong Kong meets its legal obligations to protect the personal information of data subjects. This, in turn, can help to avoid potential liabilities under the PDPO and other laws that apply to data users. This is good news for businesses that need to transfer personal data between locations. And, as increased cross-border business activities take place with Mainland China under the “one country, two systems” principle, this will become even more crucial.