How to Comply With Cross-Border Data Transfers in Hong Kong
Businesses engaging in cross-border data transfers face onerous obligations governed by Hong Kong law and provided comprehensive guidance. Most businesses take the approach of entering contracts with importers that contain clear and enforceable provisions – this may take the form of separate agreements, schedules to main commercial agreements or contractual provisions within main commercial arrangements.
Contracts between businesses may also contain model clauses provided by the PCPD; though not mandatory, these models can be helpful. Businesses transferring personal data outside Hong Kong often conduct what’s known as a transfer impact assessment to assess how protected that personal data will be when leaving Hong Kong – something becoming more frequent with each transfer transaction.
Under the PDPO, “data user” refers to anyone who controls the collection, holding, processing or use of personal data. A person does not qualify as a data user if their personal data does not identify an individual in a manner which makes identification practicable; this aligns with other privacy laws such as GDPR and PIPL in mainland China.
Data users must obtain the voluntary and express consent of a data subject before collecting or using their personal data in any manner outside the PICS. This requirement ensures the protection of personal data against unauthorised transfer or usage.
If a data exporter conducts a transfer impact assessment and discovers that the laws of its destination jurisdiction do not conform to those required by PDPO, they should either suspend or implement appropriate supplementary measures such as encryption, anonymisation or pseudonymisation or contractual arrangements such as audit, inspection and reporting, beach notification and compliance support and co-operation.
The PCPD’s role is to safeguard data subject rights from being undermined by transfer restrictions that do not exist and has published an extensive list of personal data likely to be transferred overseas. Furthermore, it publishes guidelines to assist businesses comply with their data transfer obligations.
Law surrounding data transfers is intricate, so businesses should not underestimate the risks. Padraig Walsh from Tanner De Witt’s Data Privacy practice group can offer guidance and advise businesses regarding transfers as well as issues they raise; contact him by e-mail or by calling +852 2368 2488 for help with data transfers or their implications.