Padraig Walsh, a data privacy partner at Tanner De Witt, discusses the issues in relation to cross-border data transfers from Hong Kong.
The legal basis for the transfer of personal data from Hong Kong is the Personal Data Protection Ordinance (“PDPO”). The PDPO establishes the rights of data subjects and their specific obligations to data controllers through six data protection principles. It was enacted in 1996 and significantly amended in 2012 and 2021.
It is important to determine whether the PDPO applies to a particular transaction. This will require a thorough assessment of the facts and circumstances surrounding the data transfer and the nature of the personal data involved. This includes a consideration of the purpose for which the personal data is collected, the purposes for which it may be used and the classes of persons to whom it will be transferred.
If the PDPO does apply, then it will be necessary to inform the data subject that the personal data in question will be transferred outside of Hong Kong. It will also be essential to identify any supplementary measures that will bring the level of protection in the foreign jurisdiction up to that in Hong Kong. This may include technical measures, such as encryption, anonymisation or pseudonymisation, and/or contractual measures, such as additional contractual terms and binding codes of practice.
Another consideration when assessing the PDPO is the intention of the person transferring the data. If the intent is simply to obtain the personal data for marketing purposes, then the PICS obligation will not arise and issues relating to the transfer of the data will not be relevant. However, if the intent is to use the personal data for another purpose, then the PCPD will require that the consent of the data subject be expressly given.
It is important to note that once a person has agreed to the transfer of their personal data, they cannot withdraw their consent. This is true even if the original data user later decides that it is no longer appropriate to fulfil the purposes for which the personal data was originally collected or for any other reasons. This is a fundamental principle of data privacy and should be adhered to by all parties in any data transfer. This is especially the case where the data is to be transferred to a different entity. It is therefore vital that all relevant stakeholders are aware of this issue and take steps to ensure that their contractual arrangements comply with the PDPO. This will help to reduce data transfer risks and ensure that businesses are able to operate effectively across borders.
