PDPO Obligations for Cross-Border Data Transfers in HK
HK’s data privacy laws are very strict. This means that businesses need to have a good understanding of these laws when doing business in Hong Kong or transferring personal data to Hong Kong. The PDPO contains some onerous obligations in respect of cross-border data transfers and there is extensive guidance on how to fulfil these obligations (including recommended model clauses for inclusion in contracts).
However, this guidance is only advisory and the statutory obligation to comply with it is largely a matter of contractual arrangement. These arrangements may be expressed in a separate contract, as schedules to a main commercial agreement or as contractual provisions within the main commercial agreement. The form ultimately does not matter; what matters is that the contractual arrangements comply with the PDPO and do not impose any undue burden on the business doing the transfer.
One of the most significant obligations in respect of cross-border data transfers is that a data exporter must inform the data subject that its personal data will be transferred outside Hong Kong and the underlying grounds for such transfer. This is often fulfilled by including a statement to this effect in a PICS that is provided to data subjects before the personal data is collected. It is also good practice to include this information in writing.
If the personal data is being transferred to a place outside Hong Kong that does not provide a level of protection similar to that provided by the PDPO, then a data exporter must carry out a transfer impact assessment. This involves evaluating the risks to data subjects and their families that would be presented by a particular transfer and considering whether there are adequate supplementary measures available to mitigate such risks.
In addition, there is a requirement to adopt contractual or other measures that prevent personal data being retained longer than necessary for the processing of such data (DPP 2(3)). There is a further requirement to ensure that a data exporter takes appropriate steps to protect personal data that has been transferred to a place outside Hong Kong from unauthorised access, interference, destruction or disclosure (DPP 4(2)).
It is possible that in future, section 33 of the PDPO will be amended so that it will impose restrictions on the transfer of personal data from Hong Kong to places outside Hong Kong. Until this happens, businesses need to be mindful of their obligations and to use best practices and ethical standards in their governance of personal data. This will be particularly important as Hong Kong continues to integrate with mainland China under the “one country, two systems” principle. The volume of cross-border data transfers will likely increase as a result and businesses need to be aware of the obligations they face when doing so.