An effective data governance program involves numerous parties. It will affect employees, partners and customers with differing perspectives; to be successful it’s vital that everyone involved understands their roles clearly – one way is using a responsibility assignment matrix like RACI (responsible, accountable, consulted and informed), which ensures all stakeholders get timely access to relevant information.
Key among these provisions of the PDPO is Section 33, which prohibits the transfer of personal data outside Hong Kong without prior consent of its subjects. This provision was implemented to address privacy implications associated with cross-border data flows while simultaneously providing legal backing for these transfers.
However, Section 33 has not been implemented as intended due to resistance from the business community. There are various reasons for this lack of implementation such as its perceived adverse impact on operations or difficulty meeting compliance obligations. The PCPD has attempted to address these concerns; on 29 December 2014 they published guidance regarding cross-border data transfers as well as model clauses to include in contracts related to such transfers.
Additionally, the PCPD has reviewed the global regulatory framework on cross-border/boundary data flow, communicating with Government on how best to implement solutions which suit Hong Kong conditions, conducting outreach with stakeholders on how best to implement Section 33 within their organizations and encouraging them to do so.
Though not mandated under Hong Kong law, transfer impact assessments may become necessary in certain circumstances in order to comply with laws of other jurisdictions; such as when personal data needs to be transferred from Europe into non-EU nations.
Given China’s transition towards becoming an autonomous legal jurisdiction and Hong Kong’s increasing volume of data exchange between mainland China and Hong Kong, an efficient legal mechanism for data transfer may become even more necessary. The PCPD is currently working on legislative amendments in this area and looks forward to taking an proactive and forward-looking approach towards data protection. Our partnership network across the world continues its efforts in strengthening data protection standards and standards are promoted and strengthened as part of this global initiative. As we move ahead with global economic co-operation, cross-border data transfer between Hong Kong and Mainland is also critical for international economic cooperation. Together we can foster trusted and secure digital connections. Economic and societal growth will benefit, while our data citizens enjoy the highest possible level of personal data protection. We are certain that upcoming legislative amendments to PDPO will take an important step in this direction.