As data becomes increasingly central to the way in which businesses operate, it is essential that all parties involved understand their responsibilities and obligations. One of the most significant issues in this regard concerns cross-border data transfers and ensuring compliance with section 33 of the PDPO.
The general rule is that personal data may not be transferred outside Hong Kong unless the original data user expressly notifies the classes of persons to whom the information will be transferred and obtains their voluntary and explicit consent to do so. The purpose of this requirement is to avoid the risk of a transfer being made without the appropriate safeguards in place and to ensure that the data is used for the intended purposes.
This principle applies regardless of the format in which the data is stored or whether it is being transferred to a third party. This can include the use of data in a cloud environment and also includes data that has been accessed or processed by the original data user’s staff. There are a number of circumstances in which the original data user may need to conduct a transfer impact assessment and there are various resources available on how to carry out such assessments, including a six step framework published by the European Data Protection Board.
Having conducted a transfer impact assessment, the data exporter will need to identify and adopt supplementary measures to bring the level of protection of personal data being transferred up to Hong Kong standards. These supplementary measures can take a variety of forms, including technical measures such as encryption and pseudonymisation and contractual provisions such as data processing clauses. These arrangements can be contained in separate agreements, in schedules attached to the main commercial agreement or as contractual provisions within the overall commercial arrangement.
A number of countries have now included an extra-territorial element in their data privacy regimes but not Hong Kong. This is because the scope of the PDPO only extends to data users that have operations controlled in or from Hong Kong. This is a different test to that applied in other jurisdictions and it has the effect of defining the pool of data that falls within the scope of the requirements for cross-border transfer of personal data.
Until further change in this area takes place, it is important that data users ensure they fully understand their duties and obligations in respect of the transfer of personal data across international borders. Failure to do so could have serious consequences. To this end, it is worth a review of current practices and taking legal advice as necessary to ensure compliance. Further information is available from the PCPD’s website.