Padraig Walsh from Tanner De Witt
The global business environment is increasingly interconnected. As a result, cross-border transfers of personal data are common and it is essential that businesses understand the impact of regulation imposed on such transfers. In this article, Padraig Walsh, head of the Hong Kong data privacy team at Tanner De Witt, provides an overview of key points to consider for such transfers in the context of Hong Kong.
There is no statutory restriction in the PDPO on the transfer of personal data outside Hong Kong. However, there are a number of obligations that should be considered by any Hong Kong business involved in such transfers. These include the obligation to identify and adopt supplementary measures where the assessment reveals that the level of protection afforded by the foreign jurisdiction does not meet the standards in the PDPO. This might involve technical measures such as encryption, pseudonymisation or split processing; or contractual measures such as audit and inspection obligations, beach notification, compliance support and co-operation obligations.
In addition, there are requirements to notify the PDPO of any such transfers and of the underlying grounds (DPP 1(3)). There is also an obligation to ensure that a transfer takes place in accordance with the PDPO’s data processing principles (DPP 2). It is important to bear in mind that the PDPO does not provide for extra-territorial application of its provisions – unlike several other data privacy regimes which contain some element of such extension. Consequently, the only way that the PDPO’s transfer restrictions might be applied in practice is through its contractual arrangements with data importers.
As mentioned, there are a growing number of circumstances in which it will be necessary for any Hong Kong business that is involved in the transfer of personal data outside of Hong Kong to carry out a transfer impact assessment (DPP 8(2)). Such an assessment might be required in connection with a data export to an EEA country or a contractual arrangement with a data importer from an EEA country. Similarly, such an assessment might be required in connection with any transfers to non-EEA countries.
Whether or not section 33 of the PDPO will be implemented in practice remains to be seen. However, there are a number of reasons why such implementation might be difficult. One reason is that the current interpretation of ‘personal data’ in the PDPO is broadly similar to the definition in other legislative regimes such as the GDPR and PIPL and, accordingly, it may be difficult to distinguish between such data and data that is not personal data. There is also a risk that such a restriction on the transfer of personal data could adversely affect Hong Kong’s reputation as a business hub, and as an investment destination. Such risks will likely have to be weighed up carefully against the need for Hong Kong to maintain its competitive advantage in the global economy. This will have to be a balance that is ultimately left to the market.
