Cross-Border Data Transfers

When a Hong Kong data user transfers personal data to another jurisdiction, he needs to be aware of and comply with the applicable data protection laws. These include the Hong Kong Personal Data Protection Ordinance (PDPO) and its six data protection principles. The PDPO establishes data subject rights and specific obligations for data users. In addition, there is extensive guidance that sets out how to fulfil these obligations in respect of cross-border transfers. This guidance includes recommended model contractual clauses that can be included in contracts between data users and data processors. These models can be in the form of separate agreements, as schedules to a main commercial agreement or as contractual provisions within the main commercial agreement.

The PICS requires a data user to expressly inform a data subject on or before the collection of his personal data of the purposes for which his personal data is collected and the classes of persons to whom the data may be transferred. The PICS further stipulates that the personal data cannot be used for a purpose not contemplated in the PICS without the voluntary and express consent of the data subject. Transferring personal data to another class of person or for a purpose not contemplated in a PICS would constitute a new use and therefore a new PICS would be required.

Cross-border data flow is a vital element of Hong Kong’s economic life and the facilitating free movement of personal information is one of the key features of Hong Kong’s legislative regime. However, increased cross-border data flow can also raise issues relating to the privacy of personal data. These issues can be resolved by the proper application of the PDPO and its DPPs.

A growing number of businesses in Hong Kong are involved in cross-border data transfers and will need to consider a PDPO-based PICS or undertaking and the associated contractual arrangements. These transfers are most frequently related to the movement of personal data from the Mainland under the “one country, two systems” principle and to businesses operating in the EU.

Unlike some other jurisdictions, the PDPO does not contain a statutory restriction on the transfer of personal data out of Hong Kong. This does not mean, however, that Hong Kong does not have data protection safeguards in respect of these transfers. There is a wide range of guidance and recommended model contractual clauses to protect data in these situations. This includes the obligation to carry out a transfer impact assessment and the requirement that a contract with the recipient include certain data protection clauses.

In addition, the PCPD has published an extensive guide to data transfers and recommended model clauses to be included in contracts involving these transfer arrangements. The guide is based on the concept of “control” and is designed to allow data users to fulfil their PDPO obligations in respect of cross-border data transfers. This guidance is an important resource for anyone who is managing data transfers between entities in different jurisdictions.