Data transfers are a common part of business activity. However, it is important to understand the data privacy regulation that applies to personal data transferred from Hong Kong to other locations or from overseas to Hong Kong. Padraig Walsh from the Hong Kong data privacy team at Tanner De Witt guides you through some key points to consider for personal data transfers.
One of the first things to consider is whether the data transfer is subject to the jurisdiction of the PDPO. A person is a data user under the PDPO if they control the collection, holding, processing or use of personal data either alone or jointly with others. A data user may not transfer any personal data that they control unless they have a lawful basis for doing so.
The PDPO defines “personal data” as information relating to an identified or identifiable person. This definition is broadly consistent with the meaning of personal data in other legislative regimes (such as GDPR).
In the case of a data transfer, it is also important to identify what data is being transferred. The PDPO requires a data user to expressly inform a data subject on or before the initial collection of their personal data of the classes of persons to whom they might transfer their personal data and of the purposes for which it will be used. It is a requirement to ensure that any transferred personal data will not be used or held for purposes other than those specified in the original notification to the data subject and that any changes to such uses require the prescribed consent of the data subject.
If a business is to transfer personal data abroad, it will be necessary to have contracts in place with data importers that contain the standard contractual clauses proposed by the EDPB or those approved by the PDPO for transfers of personal data from the EEA. These can be incorporated into separate agreements or as schedules to the main commercial arrangement. The form of the agreement does not ultimately matter but the substance and content does.
Once a contract is in place, the data importer will be required to undertake a transfer impact assessment. This is a process of considering the level of protection available in Hong Kong for the personal data being transferred, comparing that with the laws and practices of the destination jurisdiction and identifying what supplementary measures are needed to bring that up to Hong Kong standards. This process can be time-consuming and complicated, particularly in respect of a large number of individual data importers.
The data protection environment is ever-changing. Businesses need to keep up with regulatory developments, including those affecting cross-border data transfers, in order to ensure that they are meeting their obligations and doing so effectively. The PDPO will continue to be an essential tool in this respect, and there is a need for efficient compliance with section 33 in light of increased cross-border data flow between Hong Kong and Mainland China under the “one country, two systems” principle.