Data hk aims to promote efficient compliance with data transfer regulation, reduce business risk and encourage best practice within organisations. Padraig Walsh, from Tanner De Witt’s Data Privacy team, takes us through the key points to note on cross-border personal data transfers.
As the global economy becomes increasingly interconnected, businesses are often required to transfer personal information across borders to meet their contractual or commercial needs. This can be a complex issue, particularly where the laws of different jurisdictions may differ significantly. There are a number of data transfer-related issues that need to be considered, including the lawfulness of the transfer, the underlying purpose, and whether any statutory restrictions apply.
The first question to consider is whether a particular transfer is lawful. In Hong Kong, the Personal Data Protection Act (“PDPO”) does not contain a statutory restriction on the transfer of personal data outside of the territory. However, this does not mean that the transfer is lawful – there are certain conditions that must be fulfilled in order for a transfer to be valid.
In addition, it is important to remember that the concept of ‘data user’ in the PDPO encompasses not only an entity that directly controls the collection, holding or processing of personal data but also an entity that is a controller or processor of personal data on behalf of another person. Therefore, a company that is a data controller in respect of a particular set of personal data but not a data user in relation to that same set of personal data may still be required to comply with the PDPO (particularly its six core data obligations).
If a transfer is permitted under the PDPO, the next question is what constitutes “personal data”. The PDPO defines the term as any information concerning an identifiable natural person, such as name, identity card number, address, location data, online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. However, there are a number of other categories of data that could be considered to fall within this definition, for example, the content of telephone conversations.
For data transfer purposes, a further consideration is whether the entity to which the data is being transferred would be required to undertake a transfer impact assessment under GDPR. This requirement is applicable where a data exporter processes the personal data of persons resident in the European Union, offers goods or services to them in the EU or monitors their behaviour in the EU. There are increasing numbers of circumstances where this requirement will apply to businesses that operate in the territory and process data originating from the EEA, including some very well-known internet giants.
As a result, many businesses will have to carry out some form of transfer impact assessment in order to ensure that they comply with the requirements of the PDPO and its DPPs. In addition, there are a number of sets of recommended model contractual clauses that the PCPD has published that can be incorporated into data sharing agreements or processing arrangements with other data users. These can be standalone documents or inserted as contractual provisions within a main commercial agreement.