Transfer Impact Assessment – How to Evaluate Personal Data Before Transferring It Away

Amid a growing global movement to strengthen data protection laws, many countries have made significant changes in the way they regulate personal data processing. Some, such as the European Union (“EU”), have introduced a new legal framework known as GDPR. Others, such as Hong Kong, have incorporated the same principles into local legislation. Both regimes are intended to protect individual privacy by setting out clear rights and enforceable obligations for individuals and businesses. The latter are also required to perform a process known as a transfer impact assessment before transferring personal data abroad.

The EU’s GDPR has established a number of new rights for data subjects and imposed hefty fines on businesses that fail to comply with its provisions. While Hong Kong’s PDPO contains similar provisions, the scope of its jurisdiction is narrower, and enforcement is less stringent. Nevertheless, it is becoming increasingly common for Hong Kong companies to be required to undertake a transfer impact assessment before exporting data abroad.

A transfer impact assessment is a procedure that involves an evaluation of the level of protection in a foreign jurisdiction against the six core data protection principles contained in the PDPO. It is not mandatory under Hong Kong law, but there are a growing number of circumstances in which it is necessary for a Hong Kong business to conduct such an assessment if it proposes to transfer data outside the territory.

Firstly, it is necessary to determine whether the data is actually personal data. Hong Kong law defines “personal data” as any information relating to an identified or identifiable person. This is a much narrower pool than that in other jurisdictions, and it may exclude data that would be considered personal in other jurisdictions. For example, a photograph of a crowd at a concert will be considered personal data under PDPO, but only if the photographer intends to identify individuals in the photo.

In addition, it is necessary to consider whether the data will be used for a purpose other than that set out in the PICS. If the data will be used for a different purpose, then the data user must obtain the voluntary and express consent of the data subject to do so. This requirement applies even when the use of the data is permitted under one of the exceptions to a use limitation or access requirement under the PDPO, such as for safeguarding national security, defence and international relations, prevention of crime or serious improper conduct, news activities or life-threatening emergencies.

Once it is determined that the data transfer is permissible under PDPO, then the data exporter must review its Personal Information Collection Statement and ensure that the proposed transfer is covered by one of the six permitted purposes. It must also verify that it has the necessary legal basis to transfer the data and review its contractual arrangements with the data importer. These arrangements can be in the form of separate agreements, schedules or contractual provisions within the main commercial agreement.