The rapid growth of business with mainland China and internationally makes data transfers commonplace. As such, it is important for businesses to understand the regulation imposed on data transfer. This article, by Padraig Walsh from the Data Privacy practice group at Tanner De Witt, provides a brief overview of the issues in this area.
A key first consideration is whether the PDPO’s provisions on data transfer even apply to the matter in hand. In this regard, it is worth remembering that the PDPO defines “data user” to mean any person who controls the collection, holding, processing or use of personal data. Accordingly, a data transfer issue arises where a Hong Kong business is collecting personal data and has the intention of transferring it to a third party for processing or some other use. In such a case, the data user must prepare a PICS and comply with the six core data obligations set out in the PDPO.
Section 33 of the PDPO prohibits the transfer of personal data out of Hong Kong unless certain conditions are fulfilled. However, there are many other factors to consider before it is possible to conclude that this provision has been breached.
A common mistake is to consider that section 33 does not apply at all. This is a mistake because the scope of the PDPO is wider than many people think. The PDPO applies to all operations controlled in, or from, Hong Kong. It does not, as is sometimes believed, include express provisions conferring extra-territorial jurisdiction.
Moreover, the PDPO requires a data user to expressly inform a data subject, on or before collecting his personal data, of the purposes for which the information will be used and the classes of persons to whom the information may be transferred. This is a requirement of the type that is found in other data protection regimes and, as such, a breach of this section could result in a HK$1 million fine and imprisonment for up to three years.
Furthermore, it is important to remember that the PDPO states that a data transfer will not be permitted if the transferring party does not agree to impose supplementary measures designed to bring the level of protection in the foreign jurisdiction up to that provided for by the PDPO (e.g. a standard contractual clause). This is a common requirement for EEA data exporters and there are a growing number of instances where it will be necessary for a Hong Kong data exporter to undertake this process in order to ensure that their transfer is lawful.
The complexities of this issue are vast and this article has only scratched the surface. It is therefore important for businesses to be aware of the issues in this area and to obtain legal advice. The rapid development of a data economy with mainland China and beyond means that this is a topic that will continue to evolve over time. As such, it is important for all parties to keep up-to-date with the latest developments.