How to Manage Cross-Border Data Transfers in Hong Kong
Businesses have become increasingly reliant on cross-border data transfer to carry out essential business operations and to deliver services to clients. Nevertheless, this type of business transaction is not without risk and needs to be properly managed. Padraig Walsh, Partner in the Tanner De Witt Data Privacy practice group, outlines key points to consider when planning and conducting a data transfer.
A key point to note is the interpretation of certain data privacy principles. These first principles may seem obvious, but are sometimes not well understood. For example, the definition of personal data is interpreted quite differently in Hong Kong than elsewhere. As a result, data transfers to and from Hong Kong are subject to different requirements.
Whether or not the application of GDPR is relevant to a particular transfer of personal data is also a factor to take into account. For example, the GDPR requires that an importing entity agree to standard contractual clauses (see here) or contribute to a transfer impact assessment if it processes personal data of individuals in the EU or offers goods or services to such individuals in the EU or monitors their behaviour (including online tracking).
What does this mean for Hong Kong?
The PDPO provides a comprehensive set of rules on cross-border data flows. These include:
The requirement to adopt contractual or other means to prevent the personal data of individuals, who are transferred to a data processor in Hong Kong or outside the territory, from being unauthorisedly accessed, processed, erased, lost or used (DPP 2 and DPP 4). The recognition that a data user is responsible and liable for the acts of his agents, including those of his data processors (DPP 65).
A transfer of personal data is considered to be a “use” under the PDPO and a change in use requires the voluntary and express consent of the individual in respect of which the use is made. The PCPD has clarified that data transfer is a form of use and therefore must be notified to the individual on or before collection of the personal data in a PICS and must include an indication of the classes of individuals to whom the data might be transferred.
Despite the fact that increased cross-border data flow has been identified as an important component of our economy, it now seems likely that implementation of section 33 will not be renewed. This is in stark contrast to the global trend towards implementing an adequacy regime for cross-border data transfers.
The resistance to implementation from the business community was based on perceptions that an adequacy mechanism could cause a negative impact on business efficiency and the cost of compliance. Nonetheless, it remains to be seen if the need for efficient and reliable means of transferring personal data with mainland China and internationally will drive any change in Hong Kong’s position on this issue.