Data transfers are an essential part of global business, but the regulatory burdens imposed on personal data transfers can be complex. This article, written by Padraig Walsh from the Data Privacy practice group of Tanner De Witt, explores some key points to consider for anyone involved in a transfer of personal data, whether that be from Hong Kong to other locations or into Hong Kong from elsewhere.
Firstly, it is important to remember that a person will be considered to be a data user under the PDPO if they have operations controlling the collection, holding, processing or use of personal data in Hong Kong (or, more precisely, controls any part of those processes). That means that when a person transfers personal data abroad, he will likely have to comply with a range of obligations – including the core six DPPs which form the heart of his obligations under privacy law in Hong Kong.
For example, a key obligation is that a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which that personal data will be used and the classes of persons to whom it may be transferred. The PCPD has clarified that, where a data user wishes to transfer his personal data to someone in one of those classes of persons, he must obtain the prescribed consent from the individual for that purpose (DPP 1) and disclose that fact to him (DPP 3).
A further requirement is that a data user must carry out an assessment of any foreign jurisdiction’s laws or practices which could cause problems with compliance with the DPPs or with the rights of data subjects under the PDPO (DPP 4). This assessment, known as a transfer impact assessment, needs to be conducted before transferring any personal data to a destination country or territory. If the assessment shows that the destination jurisdiction’s laws or practices will not be compatible with the PDPO, then the data exporter must either suspend the transfer or implement appropriate supplementary measures before making the transfer (DPP 5).
It is worth noting that the PCPD has published two sets of recommended model contractual clauses for use in these circumstances. The model clauses are designed to cover the situations where a data exporter is transferring personal data abroad from a Hong Kong company to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by the Hong Kong data exporter (DPP 6). These clauses can be used as separate agreements or included in schedules within larger commercial arrangements. The form ultimately does not matter; the substance and content do. The best solution will be one that is practical and flexible enough to accommodate the needs of your specific business.