Data privacy regulation imposes obligations on businesses to be transparent about how they collect, use, store and transfer personal data. The rules are complex and vary between jurisdictions. Tanner De Witt’s Padraig Walsh, partner in the Hong Kong office of the Global Privacy and Data Protection team, looks at key points about cross-border data transfers to help businesses reduce business risk and promote efficient compliance with these obligations.
Unlike many other data protection regimes, the Hong Kong Personal Data Protection Ordinance (“PDPO”) does not contain a statutory restriction on the transfer of personal data outside Hong Kong. Instead, a person is considered a “data user” under the PDPO if he controls the collection, holding, processing or use of personal data in, from or to Hong Kong (i.e. the jurisdictional scope of the PDPO).
A data user’s obligation to provide a PICS is one example of a PDPO requirement that may impact on data transfer. Another example is the requirement that a data user must expressly inform a data subject of the purposes for which his personal data will be used (DPP 1) and the classes of persons to whom his personal data may be transferred (DPP 3).
While it is not possible to prohibit the transfer of personal data outside Hong Kong, there are safeguards in place. A data user must use contractual or other means to ensure that the personal data he processes is protected from unauthorised access, processing, erasure, loss or use and is not retained for longer than is necessary for the purpose of processing. He must also comply with DPPs 2, 3, 4, 5 and 6 to prevent unauthorized disclosure of personal data and keep records of his activities.
In addition, he must ensure that any processor with whom he shares personal data has in place safeguards to protect the personal data. This can include written agreements, security policies and procedures, data protection officer oversight, audits, training and regular reporting to the PDPO. He must also ensure that he has a lawful basis to process the personal data and that any changes to processing arrangements require the prescribed consent of the data subject (DPP 7).
This is not an exhaustive list of requirements but highlights some of the main elements that need to be taken into account. Increasing cross-border flow of personal data is likely to increase the need for effective protections in this area.
The PCPD has published a set of recommended model clauses to incorporate in contracts that deal with cross-border data transfers. These are designed to assist data users in fulfilling their obligations and can be incorporated into separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial agreement. The form ultimately does not matter; the substance and content do.