Hong Kong Privacy Commissioner recently published two sets of recommended model contractual clauses that address cross-border data transfers. These clauses aim to help facilitate compliance with the Personal Data Protection Ordinance (PDPO), and users’ obligations pertaining to international transfer. They take into account Hong Kong-specific legal and commercial realities pertaining to data transfers within this jurisdiction.
As soon as considering whether a transfer falls under PDPO is to establish who controls the personal data. Per the PDPO definition of “data user”, this refers to any individual or joint venture who manages collection, holding, processing or use of personal data; personal data includes an individual’s name; identification number; location information; online identifiers as well as factors specific to physical, physiological, genetic mental economic cultural or social identity of that individual.
Next, one should determine whether the entity transferring personal data (data exporter) has operations in Hong Kong that control its collection, holding, processing and use. If none such operations exist then it is unlikely that PDPO applies.
In such instances, transferring entities will need to conduct an impact analysis and take any necessary supplementary measures in order to bring protection levels offered by foreign laws and practices up to that of Hong Kong. Supplementary measures might include technical solutions like encryption or pseudonymisation or contractual provisions related to audit and inspection services, beach notification services or compliance support and co-operation services.
Finally, the transferring entity must not permit any foreign data importer to store transferred personal data outside Hong Kong other than where specifically agreed with. This requirement mirrors EU regulation, and serves to safeguard data subjects’ rights.
The current business view appears to be that, while there may be concerns over perceived adverse impact and compliance difficulties with PDPO regulations on businesses and difficulties associated with complying with it, no evidence has shown cross-border data transfers have compromised personal data privacy in Hong Kong. While this position may seem at odds with global trends, it has long been advocated by Hong Kong’s Privacy Commissioner and thus remains relevant. If the need arises in future for efficient and reliable transfers, the situation could change; we will remain vigilant as to this matter and monitor it closely.