Whether it is a data transfer to another party or to a third country, it is important for businesses to understand the rules and regulations that apply. Padraig Walsh from Tanner De Witt explains the key points to consider for personal data transfers.
The main data privacy regulatory regime in Hong Kong is the Personal Data Protection Ordinance (“PDPO”), which requires that any entity that uses personal data (or intends to use it) must comply with a number of principles. These include DPP1 (purpose and collection of personal data), DPP2 (use of personal data) and DPP3 (processing of personal data).
Data users must also fulfil their obligations when transferring personal data overseas. This is done by entering into agreements with a data exporter that are designed to bring the level of personal data protection up to the standard required under the PDPO. These can take the form of separate agreements, schedules to a commercial agreement or contractual provisions within a larger commercial arrangement.
The definition of personal data under the PDPO is relatively narrow and may be less restrictive than that of other regulatory regimes such as the Personal Information Protection Law in mainland China or the European Union’s GDPR. The PDPO defines ‘personal data’ as any information relating to an identifiable person. This includes a variety of factors such as an individual’s name; identification numbers; address, location data or online identifiers; and other characteristics that may identify them – for example, their gender, racial or ethnic origin, religious beliefs or political opinions.
As with other jurisdictions, the PDPO prohibits the export of personal data that does not meet its data protection standards. In the event of a breach, the data exporter is liable for that breach. However, the PDPO does provide an exemption for the export of special personal data, including information relating to a child, provided that it is necessary for the performance of a contract or the provision of a service to the data subject, or in the public interest.
One of the things that sets Hong Kong apart from other jurisdictions is its statutory requirements with respect to personal data transfer. The PCPD has published two sets of recommended model contractual clauses. These are intended to help with the fulfilment of a data user’s obligations under the PDPO in relation to cross-border personal data transfers. These can be incorporated into a data user’s arrangements with data exporters as either standalone documents or clauses that are inserted into larger commercial arrangements. These clauses are essentially the same across both scenarios and, therefore, can be adopted easily by business of any size.