Data transfers are a core element of modern business activity. It is therefore important for businesses to understand the data privacy regulation imposed on cross-border data transfer to reduce business risk and promote efficient compliance across the organisation. In this article, Padraig Walsh, a Senior Associate of the Tanner De Witt data privacy practice group, explains how the law applies to personal data transferred outside Hong Kong.
Many different data privacy regimes impose restrictions on cross-border data transfers. These include statutory provisions that prohibit the transfer of personal data outside of the jurisdiction in which it was collected (e.g. section 33 of the PDPO), contractual clauses that impose obligations on data users to take steps to ensure that the level of protection provided for the data in the recipient jurisdiction is equivalent to that in Hong Kong, and a requirement to obtain the consent of data subjects prior to transferring their personal data abroad.
Despite the existence of these rules, it is still common for businesses to transfer personal data overseas without complying with these requirements. This is often due to the belief that compliance with these rules would be too onerous and costly, or because of concerns about potential enforcement action.
In order to address these concerns, the PCPD has issued a set of recommended model clauses for inclusion in contracts dealing with cross-border data transfers. These provide for the use of a range of technical and contractual measures to bring the level of protection offered by the data exporter into line with those required by the PDPO. These supplementary measures may be technical, such as encryption or pseudonymisation, or contractual, such as obligations on audit, inspection and reporting, beach notification, and compliance support and co-operation.
The model clauses are designed to be included in contracts between a data user and a data processor, or between two entities both of which are controlled by a data user in Hong Kong. They are intended to be used to regulate the transfer of personal data outside of Hong Kong for processing purposes. This includes the transfer of personal data between a data user and his/her subsidiaries, as well as the transfer of personal data from one subsidiary to another.
The PCPD has also published a guide to the model clauses and their interpretation. The guide focuses on the application of the PCPD’s definition of “personal data”. This is defined to mean information relating to an identifiable natural person, and includes names, addresses, identification numbers, location data, online identifiers, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. In this sense, the definition of “personal data” in the PDPO is broadly comparable to that in other international data protection regimes such as the GDPR in mainland China and the European Union’s General Data Protection Regulation. It is unlikely that this definition will be amended in the near future. However, if it is amended, it may have a significant impact on the scope of cross-border data transfers that would need to be governed by these provisions.