Whether you are an experienced data hk expert or just starting out, you need to understand how regulations on personal data transfers work in Hong Kong. Padraig Walsh from Tanner De Witt’s data privacy team explains some of the key points to consider.
Section 33 of the PDPO prohibits a transfer of personal data outside of Hong Kong unless certain conditions are fulfilled. This prohibition is intended to ensure that personal data transferred outside of Hong Kong is adequately protected by laws and practices in the destination jurisdiction. It is also intended to ensure that a transfer of personal data into Hong Kong takes place only where it is required for lawful purposes.
One of the basic requirements for data hk is that the person collecting the personal data must fulfil a number of statutory obligations before transferring it, including giving the data subject a personal information collection statement (PICS) on or before the collection of his personal data. This PICS must include a clear statement of the purpose for which the personal data is being collected, and that the purpose is directly related to the function or activity of the data user. It must also specify that the personal data will not be used for a different purpose without the further voluntary and express consent of the data subject. This is a standard element of PICSs under many other data privacy regimes.
However, there are some differences between Hong Kong and other regimes with respect to the scope of these obligations. In most cases, the scope of these obligations is determined by whether a person controls the collection, holding, processing and use of personal data in, or from, Hong Kong. This is in contrast to some other data privacy regimes which have a more expansive approach to extra-territorial application.
This can have a significant impact upon the application of this restriction and its enforcement. The HKPCPD has published a set of recommended model clauses which are designed to address this. These model clauses are applicable to the transfer of personal data from a data user located in Hong Kong to a data user located outside Hong Kong or between two entities, both of which are located in Hong Kong but are controlled by different data users.
The HKPCPD has taken a pragmatic approach to the implementation of this provision and has not ruled out revising it in future. It has acknowledged that increased cross-border data flow is a vital part of the global economy and that it is in the interests of both Hong Kong and the rest of the world to facilitate this where possible. However, the HKPCPD has recognised that this must be balanced with the importance of protecting personal data and the need to allow businesses to continue to operate efficiently. This balance will be a key consideration in any policy discussion on the scope of section 33.