When a business is transferring personal data between locations, it’s essential to understand the regulatory requirements and legal risks involved. This article from the data privacy practice at Tanner De Witt outlines key points to consider regarding data transfers in Hong Kong.
A transfer impact assessment is an important tool for determining whether the proposed data transfer will meet the requirements of Hong Kong law. It assesses the impact of the proposed data transfer on the rights and freedoms of the individuals whose information is transferred, and seeks to ensure that the information will be adequately protected in the destination jurisdiction. The assessment may also help a data user avoid penalties for breaching the requirements of Hong Kong law. The assessment process is mandatory for some data exports. There is also a growing number of situations in which a Hong Kong data user will need to conduct a transfer impact assessment by virtue of the laws of other jurisdictions.
While the PDPO does not expressly confer extra-territorial application, it does contain a provision that is intended to limit cross-border transfer of personal data to places outside of the EEA. The provisions in question are found in section 33 and are designed to prohibit the transfer of personal data out of Hong Kong unless certain conditions are met. To determine if this restriction applies, a data user must first consider whether they have any operations that control collection, holding, processing or use of personal data in or from Hong Kong. If not, then the PDPO does not apply.
This statutory restriction is triggered by the transfer of personal data from Hong Kong to a third country, and in some limited circumstances by the transfer of personal data from other jurisdictions into Hong Kong. The restrictions are intended to promote the free flow of personal data, but they can also have the effect of limiting the ability of businesses to compete globally and to engage in cross-border activities.
As a matter of good practice, a data exporter should ensure that it complies with the obligations imposed on it by section 33. This includes the requirement to expressly inform a data subject, on or before the original collection of their personal data, of the purposes for which it will be used and of the classes of persons to whom it may be transferred. The data exporter must also obtain the voluntary and express consent of the data subject to transfer their personal data for a purpose that is different from those originally notified.
There is a wide range of guidance available on how to fulfil the data transfer obligations imposed by the PCPD. This includes model clauses that data exporters can incorporate in contractual arrangements with their data importers. These can be written as separate contracts or schedules to main commercial agreements. In most cases, however, the form of these arrangements will not be relevant, but it is critical that they include the required elements.