Data hk is a new initiative of the Hong Kong Privacy Commissioner to facilitate discussion, and help foster understanding, about data protection issues. In particular, it aims to raise awareness about cross-border transfers of personal data, and promote good practice in this area.
Cross-border data transfers are a complex topic, and the issues that arise in respect of them can be both technical and legal. Nonetheless, the law and good practice provide for robust protections to be put in place to safeguard personal data and to protect people’s rights in this regard.
In the context of the PDPO, a person is considered to be a data user if he, alone or jointly or in common with other persons, controls the collection, holding or processing of personal data. This is a broad definition and is intended to cover both individuals and businesses.
Once a person becomes a data user, he must fulfil a range of significant and onerous statutory obligations. These are set out in the six DPPs that form core data obligations under Hong Kong privacy laws. These include DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). The PICS requires the data user to inform data subjects of the classes of persons to whom he will transfer their personal data, and of the purposes for which that information is collected and used. The data user must obtain the voluntary and express consent of each data subject to transfer their personal data to that class of persons and for those purposes.
The PDPO also contains DPP4 (Data security) and DPP5 (Rights of data subjects). This includes the obligation to have appropriate arrangements in place to prevent unauthorised access, accidental or unlawful destruction, loss or modification of personal data, and ensure that any personal data transferred is only kept for as long as is necessary for the purpose for which it was collected. It also includes the obligation to have in place arrangements with data processors, both within and outside of Hong Kong, to prevent them from processing the personal data that they receive from the transferring data user for any other purpose without his permission (DPP2).
Section 33 of the PDPO prohibits a person from transferring personal data abroad unless certain conditions are fulfilled. Those conditions include that the personal data is only transferred for specified purposes and that it must not be used in a way that would be prohibited under the PDPO. Exceptions to use limitations and access requirements are provided for in the PDPO, including the need for business to conduct due diligence exercises and for news activities and life-threatening emergency situations.
If a data exporter’s assessment concludes that the foreign jurisdiction’s legislation or practices do not comply with the PDPO, the data exporter must either implement adequate supplementary measures or suspend the transfer. This can be done by a process of negotiations with the data importer or by putting in place additional contractual provisions.
