As a data expert, you may have a keen interest in how the laws around data protection are changing worldwide. However, if you are a business operating in Hong Kong, you will be aware that there are specific and significant obligations to fulfil under our existing framework.
One of these is the obligation to fulfil a range of statutory obligations where a person acquires personal data and is considered a “data user”. This includes, inter alia, complying with the six DPPs that form core data obligations, and ensuring that those obligations are met in respect of cross-border transfers (as data transfer is a form of data use).
This requirement was introduced under PDPO in 2014 with the intention of facilitating increased cross-border data flow, which was seen as an irreplaceable attribute of Hong Kong’s economy. However, resistance from the business community to implementing section 33 resulted in its being dropped from the agenda of legislative reform of the PDPO for some time.
When a data user is considering transferring personal data to a non-EEA country, the PDPO requires him or her to undertake an assessment of whether that jurisdiction’s law and practices will result in the transferred data not being adequately protected. If this assessment is adverse, the data exporter must either suspend the transfer or implement adequate supplementary measures.
The assessment will need to consider technical measures such as encryption, anonymisation or pseudonymisation; contractual measures such as audit, inspection and reporting, beach notification, and compliance support and co-operation arrangements; and other measures such as ensuring that data processing in the data importer’s jurisdiction is carried out under a binding decision of a supervisory authority. However, in limited circumstances, the data exporter may be able to proceed without imposing any supplementary measures if it can demonstrate that it has no reason to believe that the relevant jurisdiction’s laws and practices will not adequately protect the transferred personal data.
This position may seem out of step with international trends and, in particular, the increasing emphasis on adequacy and equivalent regimes. But it is not necessarily without merit, particularly given the specific circumstances of Hong Kong and the need to maintain our competitive advantage in global data flows. In the long run, though, it is likely that market forces and the need to have efficient and reliable means of transferring data with mainland China and internationally will drive change in Hong Kong’s position. In the meantime, businesses should take heed of the PCPD’s guidance on implementing cross-border transfers and ensure that they are fully up to speed with what is required. For those who need help in ensuring compliance, hiring a data privacy officer (DPO) may be worth the investment.