The PDPO and the Model Clauses for Cross-Border Transfers of Personal Data

Hong Kong is a global business hub, home to regional offices and headquarters of multinational corporations, generating great demand for secure data centres. At the same time, we have a strong pool of mobile, agile and skilled ICT professionals.

As such, it makes sense that Hong Kong’s data protection laws should provide a trusted environment for these international businesses to operate from. The Personal Data (Privacy) Ordinance (“PDPO”) provides the legal framework for collecting, processing and transfering personal data in Hong Kong. The law’s six DPPs form core privacy obligations for data users.

One important element of the PDPO is its requirement that personal data collected in Hong Kong may not be transferred to places outside Hong Kong, unless certain exceptions apply. The most obvious exception is when personal data is collected for the purpose of offering goods or services to people in the EEA, or monitoring the behaviour of data subjects in the EEA (i.e. tracking people on the internet).

There is also an exception for transfers where the purpose of the collection is to comply with a lawful request from a public authority, or to protect national security or law enforcement purposes. However, this exception is triggered only where the collection of the personal data is expressly authorised by law.

Aside from these exceptions, the PDPO’s requirements in relation to data transfers are relatively clear. For example, the PDPO requires that data users who transfer personal data overseas must ensure that the recipient takes adequate security measures to protect the personal data and comply with applicable laws of the country where the data is stored. In addition, the PDPO requires that data users take reasonable steps to ensure that the personal data they transfer is not used for any unauthorised purpose.

The PCPD has also published recommended model clauses that can be included in contracts dealing with cross-border transfers of personal data. The models cater for two scenarios, namely: (i) a transfer from a data user in Hong Kong to its data processor in another location; and (ii) a transfer between two entities both of which are in different locations but controlled by a data user in Hong Kong.

These recommendations suggest that data transfer regulations under the PDPO are quite simple to understand, but there is a risk that this simplicity is misunderstood or taken too literally. For instance, it is unusual – and perhaps misconceived – that the PCPD’s model clauses require a data importer to undertake an “adequacy impact assessment” of the destination jurisdiction’s data protection regime.

Looking to the future, it seems likely that some change will be needed in respect of section 33, driven by the need for efficient and reliable means of transferring data between Hong Kong and mainland China under the one country, two systems principle. Similarly, the growth of the digital economy in mainland China and internationally will increase the volume of data transfer between Hong Kong and other markets. In both cases, this will drive the need for a robust and efficient legal basis for data transfer.