Hong Kong Data Transfer Obligations and Best Practice
When it comes to transferring personal data internationally, businesses are often required to comply with the law. This article by Padraig Walsh from the Data Privacy practice group at Tanner De Witt takes a look at the various obligations that exist under Hong Kong law in this area, as well as best practice and ethical standards to consider when governing the governance of your company’s data.
As we all know, the Personal Data Protection Ordinance (“PDPO”) defines personal data as “data that relates to an identifiable natural person and is processed by any means.” While it may seem straightforward, there is sometimes an element of interpretation to this concept. For example, it is common to hear the notion of an identifiable natural person as referring to a specific individual (such as a name or ID number). In contrast, the PDPO explicitly mentions that this concept also covers groups of individuals, such as a class of people sharing a particular interest, or a group of companies that work together.
A key aspect of the PDPO is that personal data can only be collected, used or transferred for a purpose that is both lawful and fair in the circumstances of each case. In addition, it must be collected by means that are not unduly intrusive and that do not prejudice the rights and freedoms of others.
For this reason, it is important that all data users carefully consider the implications of any proposed use or transfer of personal data before implementing those actions. This is especially important where the use or transfer of personal data may conflict with any of the DPPs or with any statutory exemptions.
One of the most significant implications of this is that, in Hong Kong, it is not enough simply to collect personal data for a legitimate purpose. It is essential that any such collection complies with the principles and requirements of the PDPO, including those that relate to cross-border transfers.
The PCPD has recently published two sets of recommended model contractual clauses to facilitate compliance with these provisions. The first set of models focuses upon the transfer of personal data between a Hong Kong entity and an entity outside Hong Kong; the second addresses the transfer of personal data between two entities both of which are outside Hong Kong.
If a Hong Kong data exporter intends to transfer personal data abroad, it must, in accordance with the PDPO, expressly inform any data subjects about the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred (DPP1). The obligation to provide this information is broadly similar to that under GDPR, but it is not as stringent.
In addition, the PDPO requires a data exporter to carry out a transfer impact assessment before transferring personal data abroad. This is a fairly new requirement, and it requires the data exporter to identify any supplementary measures that would bring the level of protection of the personal data being transferred up to that of Hong Kong (DPP3).