If you have a Hong Kong business that transfers personal data to other jurisdictions, you are likely already aware of the obligations imposed by the Personal Data (Privacy) Ordinance (“PDPO”). Section 33 of the PDPO prohibits the transfer of personal data from Hong Kong to places outside of Hong Kong if the transferred data is subject to laws or practices that are not compliant with the PDPO.
A growing number of circumstances arise where a Hong Kong business will need to be involved in a transfer impact assessment by virtue of the application of laws of other jurisdictions to personal data transferred from Hong Kong to those other jurisdictions. The PCPD has published guidance on this topic, including recommended model clauses for inclusion in contracts that cover data transfers.
The guidance is intended to help data users identify and implement “adequate supplementary measures” where their assessment concludes that the laws or practices of a destination jurisdiction do not meet the standards set out in the PDPO. The measures may be technical or contractual in nature, and can take the form of separate agreements or schedules to main commercial arrangements. However, the ultimate form of the supplementary measures is less important than their substance and content.
Depending on the result of the assessment, an exporting data user may be required to suspend the personal data transfer or implement adequate supplementary measures. Alternatively, an exporting data user may be able to proceed without the supplementary measures if its assessment confirms that the laws and practices of the destination jurisdiction will not be problematic.
The requirement to undertake a transfer impact assessment is in addition to the other obligations that are placed on data controllers by the PDPO. These include a requirement to maintain a list of the classes of persons to whom data can be transferred (DPP 1), a duty to notify data subjects of the categories of persons to whom the data is being disclosed or transferred (DPP 2) and a duty to obtain the consent of individuals for the use of their personal data for direct marketing purposes (DPP 3).
A company that transfers its employees’ personal data overseas may also need to consider the application of section 33 to such data. Such information could include the employee’s name and HKID number, which are personal data for the purpose of the PDPO. The combination of such information would be considered sensitive personal data, and it is unlikely that such a company would want to make it available to the general public, or disclose it to third parties.
The implementation of section 33 remains uncertain, although the PCPD has signalled that it is receptive to suggestions for making it more workable for businesses. As the volume of cross-border data flow increases across the Mainland under the One Country, Two Systems principle, and with it the deepening integration between business and social life, it is likely that section 33 will become more relevant for companies in Hong Kong.