Hong Kong is well-known as being a leading centre for data management and hosting. It is the location of some of the most advanced and secure Data Centers in the world, serving many of the world’s most important companies. It is also a major hub for international data flows, particularly with mainland China. As a result, there is significant demand for efficient and reliable means of transferring personal data across borders.
The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has recently issued a new set of model contractual clauses in respect of cross-border data transfers. The new clauses are designed to be used by data users when transferring personal data overseas, as a way of fulfilling their obligations under the PDPO. However, the clauses are not a statutory restriction on the transfer of data outside of Hong Kong. In fact, it seems increasingly likely that section 33 of the PDPO will never come into force in Hong Kong.
For the sake of clarity, it is important to remember that under Hong Kong law, a “data user” refers to any person who controls the collection, holding, processing or use of personal data. This includes any person who controls the collection, holding, or processing of personal data on behalf of another entity. Consequently, the PCPD’s model contractual clauses are intended to cover a wide range of situations where the PDPO might apply. This would include any situation where a data user was importing personal data from the European Economic Area (“EEA”) into Hong Kong, or exporting personal data to the EEA from Hong Kong.
In these circumstances, the PDPO requires that data users notify the data subjects of the classes of personal data being transferred abroad and the purposes for which the personal data is collected. This obligation is also known as the “PICS” requirement. Moreover, the PDPO provides that data users must comply with a number of other statutory obligations when collecting personal data. This would include requirements such as DPP1 (purpose of collection) and DPP3 (use of personal data).
Finally, the PDPO requires that a data user identify and adopt any supplementary measures necessary to bring the level of protection provided in the foreign jurisdiction up to Hong Kong standards. This might include technical measures such as encryption or pseudonymisation, or contractual provisions such as audit, inspection and reporting, beach notification and compliance support and co-operation.
Although a transfer impact assessment is not mandatory under Hong Kong law, it is a good idea in many circumstances. For example, there are growing numbers of cases where a Hong Kong data importer will need to undertake a transfer impact assessment in order to agree to standard contractual clauses with a data exporter from the EEA. This is because the laws of the EEA are not yet comparable to those of Hong Kong under the “one country, two systems” principle. It is important that any such assessments take account of the need to provide adequate legal protections when transferring data to the EEA.
Comments are closed, but trackbacks and pingbacks are open.