PDPO Requirements for Data Transfers to and From Hong Kong

If you are a business that is planning to transfer personal data overseas, you must take care to comply with the requirements of the PDPO. In particular, it is important to consider the impact of the laws and practices in the destination jurisdiction. This article, by Padraig Walsh of Tanner De Witt’s Data Privacy practice group, highlights some of the key issues to consider.

The PDPO defines ‘personal data’ as information about an identifiable natural person, including information that can be used to identify such a person. This includes information such as name, identification number, location data, online identifiers and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This definition is broad, and it means that data hk transfers may be subject to PDPO requirements even if they are not expressly listed in the PICS.

However, it is also true that the PDPO provides a number of exemptions from its application. One of these is the requirement to carry out a transfer impact assessment (DPP 2(2)). A favourable transfer impact assessment can make the transfer permissible, even where it would otherwise not be. Another exemption is the obligation to adopt contractual or other measures to prevent the personal data transferred to a data processor within or outside Hong Kong from being kept longer than necessary for processing of the data, or to protect such data against unauthorised or accidental access, processing, erasure, loss or use (DPP 4(2)).

Finally, the PDPO contains a provision that a data user must expressly inform the data subject on or before the collection of their personal data of the purposes for which it will be used and the classes of persons to whom the data may be transferred (DPP 1(3)). It follows that the data user must have obtained the voluntary and express consent of the data subject prior to transferring their personal data to a third party in a class not set out in their PICS or for using their personal data for a purpose not stated in their PICS.

These provisions are in line with international trends. It is nevertheless surprising that the PCPD has shifted from advocating the implementation of section 33 as a clear policy objective to, at present, being somewhat indifferent about whether it should be implemented at all. This is a curious position, given that increased cross-border data flow is considered to be the lifeblood of Hong Kong’s economy, and that imposing a formal adequacy regime would likely make Hong Kong less attractive as a place to do business.

As such, it seems increasingly possible that section 33 will never be implemented, and that, instead, the PCPD will continue to promote the use of recommended model clauses as a method of complying with the PDPO’s requirements in respect of data transfers. It remains to be seen how this approach will play out. In the short term, it is unlikely to be a competitive disadvantage for Hong Kong. In the long term, however, the need to facilitate efficient and reliable means of transferring personal data with mainland China and internationally will probably drive change.