PDPO Requirements for Transfers of Personal Data Outside Hong Kong
If you have personal data which is transferred outside Hong Kong, you must comply with PDPO requirements on such transfers. In particular, there is a requirement to satisfy the six data protection principles (“DPPs”) in respect of such transfers.
While it is common for a Hong Kong entity to have personal data which is transferred abroad, the extent to which this requires compliance with the DPPs will depend on the type of data and the circumstances of the transfer. Depending on the circumstances, this may mean that there is no need to meet the requirements of section 33 of the PDPO, or it may be that there are steps which should be taken in order to satisfy section 33.
In any event, a data transfer is only permissible if the transferring entity is a “data user” within the meaning of the PDPO. A data user is a person who controls the collection, holding, processing or use of personal information. This definition – and the jurisdictional scope of the PDPO – is different from that used in many other data privacy regimes.
For example, many such regimes apply to “controllers” rather than data users, and a controller is defined as a person who “controls the making of decisions on the use or disclosure of personal information”. This means that, even if there are no “controllers”, there might be an obligation for an entity to satisfy the requirements of a local data protection regime.
One of the key obligations is that a data user must inform a data subject about the purposes for which personal information will be collected, and the classes of persons to whom the data will be transferred. This is often fulfilled by giving the data subject a personal information collection statement (“PICS”) before collecting the personal data.
If a PICS is given, the transferring entity must also ensure that its agents or contractors do not use or disclose personal data without the consent of the data subject. This requirement can be fulfilled by including specific provisions in contracts with them.
Finally, a transferring entity must also undertake not to allow its agents or contractors to process personal data in places outside Hong Kong other than those which have been expressly agreed with the data subject. This is usually achieved by incorporating a set of recommended model contractual clauses into a commercial contract.
Padraig Walsh is a partner in the firm’s Data Privacy practice group. He has experience advising on personal data privacy issues across the full spectrum of business sectors and transactions.
With increasing integration between mainland China and Hong Kong under the “one country, two systems” principle, there is a growing need for efficient compliance with cross-border data transfers. This article examines some of the key issues in this area. This includes the interpretation of key data privacy concepts, such as the application of the notion of personal data in Hong Kong law, and the responsibilities and liabilities of data users when transferring personal data overseas.