In the wake of the recent data breaches, the focus on transparency and data security has heightened awareness around how important it is for businesses to be able to communicate with customers in an open and trustworthy manner. As such, the HKTA has announced that it will be introducing a series of new initiatives to encourage companies to embrace transparency in their communications. These will include the release of a set of standard contractual clauses designed to protect personal data when it is transferred abroad, and a new database to provide information on how many companies have implemented these standards.
It is important to understand how data transfers are governed under Hong Kong law. The first step is to determine whether a transfer is covered by the data protection regime. The PDPO defines personal data as “information relating to an identifiable natural person”. However, it does not explicitly confer extra-territorial application. Accordingly, a person who does not control any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong will not be subject to the PDPO’s requirements on cross-border transfers.
Nevertheless, a transfer impact assessment may be required if a business is transferring data out of Hong Kong to a location outside the jurisdiction where the PDPO applies. This is because the PDPO requires that a data user must take reasonable steps to ensure that the data will be processed fairly in the destination country and that any adverse impacts on data protection are prevented.
The PDPO provides that, where an adverse impact is identified, a data exporter must suspend the transfer or implement adequate supplementary measures. This is often required in the context of a transfer to a country which does not have laws comparable to those of Hong Kong, such as those in mainland China or the European Economic Area.
A growing number of data exporters will need to comply with these provisions, and there are also some circumstances in which a Hong Kong data user must perform a transfer impact assessment simply because the law in the destination country requires it. For example, the Mainland and EEA-based General Data Protection Regulation requires that personal data may not be transferred to a third country without the consent of the data subjects.
On 29 December 2014, the PCPD published guidance on cross-border data transfers and recommended model clauses to be included in contracts dealing with such transfers. However, resistance from the business community has led to a shift in focus away from the implementation of section 33 as a clear policy objective, and it now seems likely that the provision will not be implemented in Hong Kong at all. This is regrettable, given the importance of cross-border data flows to our economy. It is also a missed opportunity for the PDPO to introduce international best practices in this area. The PCPD is reviewing the global regulatory framework on the free flow of personal data and will discuss with the Government the ways forward that will best suit our local circumstances.