As Hong Kong becomes increasingly integrated into the global economy, cross-border data transfer is becoming a necessity for businesses. However, transferring personal data to locations outside of Hong Kong can bring with it significant regulatory and business risk. In this article, Padraig Walsh from the Data Privacy practice group of Tanner De Witt looks at key points to consider when arranging data transfers.
A key consideration when preparing for a data transfer is conducting a transfer impact assessment. This is an essential step in a process that allows companies to assess the legal environments and laws of both the exporting and receiving jurisdictions. It is also a key part of any compliance programme for the transfer of personal data abroad.
Although a transfer impact assessment is not required by Hong Kong law, it is highly recommended and can help reduce business risks in the event of a data breach or other regulatory action. It can be conducted by an independent party or the company itself, and should cover all potential impacts arising from the proposed transfer. It should include an examination of the laws and practices of the exporting and receiving jurisdictions, as well as consideration of the impact on national security and other policy issues.
Another key consideration is identifying and adopting supplementary measures. These can be technical or contractual, and are intended to bring the level of protection of transferred personal data up to the standards that would be available under Hong Kong law. They can include techniques such as encryption or pseudonymisation, or split or multi-party processing. They can also include additional contractual provisions relating to audit, inspection and reporting, beach notification, and compliance support and co-operation.
If a data transfer impact assessment indicates that the level of protection provided by the laws and practices of the receiving jurisdiction does not meet Hong Kong’s requirements, then the data exporter should either suspend the transfer or implement appropriate supplementary measures. This is only necessary if the data exporter can demonstrate that the proposed supplementary measures are likely to be effective and are proportionate to the harm caused by the transfer.
Another issue that should be considered is whether or not the data being transferred qualifies as personal data. This is a complex question, and will depend on the purposes for which the data was originally collected and the classes of people to whom the information will be provided. In particular, a data user must expressly inform a data subject on or before the collection of their personal data of the purpose for which the personal data will be used, and that this purpose includes a transfer to a third party. Failure to do so will mean that the data user may not have a valid legal basis for the transfer of their personal data. In this case, the data transfer may not be authorised and will be a breach of the PDPO.