Data Hk and Transfer Impact Assessments

Data Hk and Transfer Impact Assessments

Data hk is an open government platform, providing access to a wide range of public information in a single place. It allows users to view, download and analyse Hong Kong’s public data through line graphs, cross sectional plots and maps. It also provides an innovative way for researchers to gain new insights and address real-life problems.

Despite increased cross-border business activity, the free flow of personal data remains an important part of our economy and is a fundamental attribute of Hong Kong’s success under the “one country, two systems” principle. While cross-border data transfers are common between businesses, they must be done with caution as they face a number of regulatory challenges, including privacy regulations that apply in the destination jurisdiction and requirements to conduct a transfer impact assessment.

A key consideration is the legal definition of “personal data”. While this has not changed since the PDPO was first enacted, it was in line with international norms at that time, and has since been updated in other legislation such as the PIPL and GDPR. It includes information relating to an identified or identifiable natural person, which may include name, identification number, location data, online identifier and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

This definition is critical in the context of a transfer impact assessment because it defines what must be assessed: “the level of protection available for the personal data in the jurisdiction to which it will be transferred.” Depending on how the assessment is conducted, the transferring entity will have to decide whether it should proceed with the transfer (and perhaps implement supplementary measures) or not.

If a transfer impact assessment reveals that the level of protection in the destination jurisdiction is low, the transferring entity must suspend the transfer or implement adequate supplementary measures. This could involve technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions imposing obligations on audit, inspection and reporting, beach notification, compliance support and co-operation.

Although the PDPO does not contain any express provision conferring extra-territorial application, the PCPD has published two sets of recommended model clauses to be included in contracts dealing with transfers that comply with the PDPO. These are intended to address the situation where a data user controls collection, holding, processing or use of personal data in Hong Kong, but the data is ultimately transferred to a person outside Hong Kong. These are not required for transfers between companies that both operate in Hong Kong. Nevertheless, the PCPD recommends their inclusion as it helps to reduce legal risk and promote efficient compliance with the PDPO in respect of transfers.