The world is becoming increasingly interconnected, which brings many opportunities for business and society. However, increased cross-border data flow can pose challenges, especially in respect of compliance with local laws. One such challenge is navigating the requirements of Hong Kong’s PDPO on data transfer outside Hong Kong.
Padraig Walsh, a partner at Tanner De Witt’s data privacy practice group, explores the issues around this.
Hong Kong’s approach to governing the transfer of personal data outside the jurisdiction may seem out of step with international trends, but there are good reasons for our position. First, consider the definition of personal data that is enshrined in the PDPO. It is broader than the definition in other regimes, and it includes information that can be used to identify or contact a person, or which can be associated with such an individual. This means that the requirement to obtain the voluntary and express consent of data subjects for changes in use of the personal data collected is applicable even if the data is being transferred outside the jurisdiction of the PDPO.
Second, consider whether the person transferring the personal data is a “data user”. A data user is any person who, alone or jointly or in common with other persons controls the collection, holding, processing or use of personal data. This includes an individual who acts on behalf of another person, such as a data agent. It also applies to entities that are controlled by a data user, such as a parent company or subsidiary. A data user must fulfil a set of statutory obligations including complying with the six DPPs, and those obligations apply to the transfer of personal data.
Third, consider whether the transfer is covered by a PDPO-approved exemption. There are a number of exemptions in the PDPO that relate to specific circumstances, and it is important to understand what these exemptions are before attempting a transfer. For example, the PDPO excludes the transfer of personal data to an overseas territory that does not have laws comparable to those of Hong Kong if the transfer is made for health or financial services purposes. There is a similar exemption in the PDPO for research that does not involve the identification of individuals.
Finally, consider the need for a transfer impact assessment. A transfer impact assessment is a process to review the effects of a transfer on Hong Kong residents and ensure that any transfer does not adversely affect them. The PDPO sets out a six step framework for conducting a transfer impact assessment that has been widely adopted.
