Padraig Walsh, partner in the Data Privacy practice group at Tanner De Witt, explores the key points to consider when a Hong Kong business transfers personal data outside of the jurisdiction.
The PDPO sets out very significant, onerous obligations in respect of transferring personal data outside of Hong Kong. There are also very comprehensive guidance documents on how to comply with these obligations, including model clauses which can be inserted into contracts with other data users or processors. These are intended to help data users fulfil their statutory obligations and achieve the highest level of protection of personal data.
However, increased cross-border data flow has been seen as an essential attribute of the economic success of Hong Kong and a key ingredient for global competitiveness. Increased international recognition of data protection standards has helped in the development of Hong Kong as a global hub for information and communications technology. It is therefore not surprising that increased international data flows have not been viewed as a pressing cause for change in section 33 of the PDPO.
In 2020, it was argued that the benefits of international data flows outweighed the possible risks to individual data protection, and that facilitating the free flow of personal data was an irreplaceable attribute of Hong Kong’s economy. It was thus decided that the implementation of section 33 should not be rushed and that it would be appropriate to take a more measured approach.
Consequently, it appears that the intention of the PCPD has been to move from a position of advocating the rapid adoption of international open data principles and assessment tools in Hong Kong to a more comfortable position where they are not needed at all. It now looks increasingly likely that implementation of section 33 may never occur.
The definition of “personal data” in the PDPO is very broad. It includes any information that is able to identify a person. It could, for example, include the name and HKID number together as displayed on a staff card, together with personal characteristics such as age, sex, location data, or online identifiers. It could also include other factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
A Hong Kong data exporter will need to carry out a transfer impact assessment where it is intending to transfer personal data to a destination in another jurisdiction where those jurisdictions have laws which are substantially similar to the PDPO (including the requirement for a data transfer agreement). This is most commonly the case when the destination is the European Economic Area (“EEA”).