Data is one of the most powerful assets available to modern societies, but with such power comes great responsibility to ensure its safekeeping. Businesses should therefore familiarize themselves with all laws and regulations surrounding cross-border data transfers from Hong Kong into other locations or vice versa, including cross-border data transfer from other locations into Hong Kong. Padraig Walsh of Tanner De Witt’s Data Privacy practice group offers some key points on this matter in this article by him.
Initial consideration should be made of the difference between Hong Kong law and most other jurisdictions when attempting to identify whether certain data qualifies as personal information or not; Hong Kong’s definition of such data being significantly narrower.
Generaly speaking, for data to qualify as personal under Hong Kong law it must contain information which directly or indirectly identifies individuals. Therefore a photograph taken of a crowd enjoying an event could qualify as personal data even though its primary aim was not identifying specific people; similarly CCTV recordings in car parks, logs of people entering premises and meeting records which do not provide enough details of names can all qualify.
Given this narrower definition, it should come as no surprise that Hong Kong law places few statutory restrictions on the transfer of personal data between Hong Kong and other locations, or between entities controlled by Hong Kong entities. But this does not imply there are no protections pertaining to cross-border data transfer – quite the opposite – under Section 33 of the PDPO, data users must meet specific obligations regarding any transfer outside Hong Kong.
These obligations include but are not limited to the obligation of notifying a data subject of the purposes for which their personal data is being collected and transferred, including to whom and in what form. This should be accomplished through providing them with a PICS either prior to or at the time of collection. Depending on circumstances, this requirement may also require reference to an enforceable agreement between data exporter and importer.
PCPD has also published guidance on cross-border data transfer that includes model contractual clauses to include in contracts related to such transfers. These models are built for flexibility to accommodate individual business arrangements and can be implemented as separate agreements or schedules to existing contracts. Form isn’t what matters as much as content and substance. Data exporters should also take steps to bring the level of protection in foreign locations up to Hong Kong standards, including taking additional technical or contractual measures such as encryption or pseudonymisation, audit notification requirements or providing compliance support and co-operation services.