Hong Kong’s Personal Data (Privacy) Ordinance and its six data protection principles (DPPs) have global relevance, and business leaders are increasingly mindful of the need to ensure that their company can comply with these laws both locally and abroad. One issue that is arising more frequently is the need to transfer data between locations, and Padraig Walsh from Tanner De Witt’s Data Privacy practice guides us through the key issues to note when dealing with such transfers.
The first consideration is whether or not the data transfer is subject to PDPO regulations. For this to be the case, the transferring entity must be a data user. This triggers a range of statutory obligations including an obligation to notify data subjects of the intention to transfer their personal data and the underlying reasons. It also requires that the entity adopts appropriate measures to protect such data from unauthorised access, processing, erasure or disclosure and retains such data only for purposes that are directly related to its functions and activities.
It is important to note that the definition of ‘personal data’ in PDPO is broad and does not exclude information relating to an individual’s business, profession or trade, even when it is not identifiable. This can include, for example, the name and HKID number of a person contained on a staff card, which is likely to be considered personal data under PDPO. Therefore, if an individual’s personal data is included on a staff card, the data subject must be notified of the intention to transfer it and the underlying reasons.
The next step is to identify the supplementary measures that must be adopted to bring the level of data protection offered by the importing jurisdiction up to the standards required in Hong Kong. This is a common requirement for businesses exporting from the European Economic Area (EEA) to Hong Kong, but may arise in other circumstances as well. It includes technical measures such as encryption and pseudonymisation, but also contractual provisions such as those imposing audit, inspection and reporting, beach notification and compliance support and co-operation obligations.
Once the supplementary measures have been identified, the transferring data user must agree to the terms of a data transfer agreement with the data importer, which should include clauses such as those set out in the PCPD’s recommended model contractual clauses. These provisions stipulate, for example, that the transferred personal data will only be used for the purposes for which it was collected, and that the transferred data is adequate but not excessive for those purposes.
The PCPD has been working hard to keep pace with the global evolution of data privacy regulations, and is engaged in a number of international initiatives. For example, it is a member of the Asia Pacific Privacy Authorities’ Cross-border Data Transfer Subgroup and the Data Privacy Working Group of the Digital Economy Steering Group. This engagement is critical to ensuring that the PCPD can keep pace with the increasing need for data transfer regulations across jurisdictions, and that the PCPD can develop into a body which can effectively promote best practices in and enforce adherence to data privacy laws both within Hong Kong and abroad.