Hong Kong is one of the few jurisdictions that does not contain a statutory restriction on the transfer of personal data outside of its territory. However, that does not mean there are no protections to consider in respect of such transfers. Indeed, there is a substantial amount of guidance to assist with fulfilling the various and sometimes complex obligations that arise in such circumstances.
The first step in assessing whether there are issues with a proposed transfer is to determine whether the data in question is actually personal data. As noted in the data hk article, this will typically only be the case if a person or entity controls the collection, holding or processing of the data. It is also important to ensure that the data relates to identified persons. This will be a significant factor in determining whether the data is subject to the obligations set out in the PDPO.
A number of other criteria are then required to be considered, including the purposes for which the data is collected and the classes of persons to whom it may be transferred. It is essential that these criteria are clearly notified to the data subject on or before the original collection of the personal data. The PCPD has issued a set of recommended model contractual clauses that can be incorporated into commercial arrangements between data users. The clauses can be drafted as separate documents, or they can be included in schedules to the main commercial agreement. The PCPD has provided some helpful examples to assist in understanding the key points.
It is also necessary to consider whether the data subject has consented to the data being transferred. If not, it is a breach of the PDPO and may be a criminal offence. Consent can be withdrawn at any time, but it is normally best to seek consent prior to the collection of the data in the first place.
Once the data is transferred, it is also essential to comply with the provisions of section 33 of the PDPO. This provision prohibits the transfer of personal data outside of Hong Kong unless certain requirements are met. The PCPD has commenced a review of the operation of this section, which is expected to be completed later this year.
As a result of this, it is likely that it will be more common for data exporters from the EEA to agree to standard contractual clauses in order to fulfil their obligations in this regard. The PCPD has recently published two sets of recommended model contractual clauses. These cater for the situations where a data user transfers personal data to another entity that is not located in Hong Kong or between two entities both of which are located outside Hong Kong, but controlled by a data user in Hong Kong. In such cases, the clauses will provide a mechanism to bring the level of protection of the personal data up to the standard of Hong Kong.