Cross-Border Transfers of Personal Data

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) regulates the collection, storage, processing and use of personal data by public and private sector data users in Hong Kong. The Office of the Privacy Commissioner for Personal Data – known simply as ‘the Privacy Commissioner’ – administers, monitors and enforces both the PDPO as well as its six data protection principles including any cross-border transfers of personal data.

Section 33 of the PDPO prohibits the transfer of personal data outside Hong Kong unless certain conditions are fulfilled, including informing data subjects before collecting personal data of its intended use and who it could be shared with; legal basis and purposes for which transfer may occur and any restrictions that exist for that transfer.

Still, companies have many ways of sending personal data abroad without formal permission under the PDPO, leaving some companies uncertain as to whether their moves are compliant. Padraig Walsh from Tanner De Witt’s Data Privacy practice group explores key points to keep in mind in this instance.

Reminding ourselves that personal data as defined by PDPO is broad. It covers any information pertaining to an identifiable natural person. This may include name, ID number, location data or an online identifier as well as aspects specific to physical, physiological, genetic, mental, economic cultural and social identity of that individual.

The Privacy Commissioner has released two sets of recommended model contractual clauses designed to meet different scenarios; one set for data transfers between Hong Kong entities and those located outside but where data processing cycles take place within Hong Kong. Both sets aim to ensure data users abide by statutory requirements under PDPO/DPPs/section 33 when dealing with data users.

Although Hong Kong law does not stipulate restrictions for transfer outside Hong Kong, certain other jurisdictions provide for similar limitations – including laws in Europe that require consent of data subjects before providing personal data to third parties and require adequate protection of that data.

As Hong Kong progresses towards full implementation of the “one country, two systems” principle with mainland China under new leadership, demand will likely increase for efficient and reliable means of exchanging personal data between Hong Kong and mainland China. It remains to be seen what form this change takes; at this stage however, no updates to PDPO’s Section 33 seem likely and explicit consent from data subjects remains required prior to transfer out of Hong Kong.