As data becomes a more integral component of business operations, businesses must ensure they understand its implications and the implications of cross-border data transfer. This is particularly relevant to global organizations operating under various laws and compliance measures; thus, this article offers an overview of data transfer regulation in Hong Kong as well as some key points when sending personal data across borders.
Hong Kong’s Personal Data Protection Ordinance does not impose statutory restrictions on the transfer of personal data outside Hong Kong; however, regulations set out several significant and onerous requirements related to such transfers. This article explores these obligations and their implementation methods.
At its core lies the definition of personal data, which refers to information that identifies or can be linked back to an identifiable individual. This definition generally conforms with legal regimes like mainland China’s Personal Information Protection Law and Europe’s General Data Protection Regulation. Unfortunately, Hong Kong law does not include sensitive data – information which would cause significant adverse impacts if transferred outside Hong Kong – which may have an even more restrictive meaning.
In addition to general data protection principles, the PDPO includes provisions regarding sharing and processing personal data that aim to ensure data users meet both PDPO requirements as well as any relevant laws when collecting, sharing or processing this data. These requirements include obtaining consent from data subjects before collecting their information as well as using their Personal Information Collection Statement (PICS) when transferring it and informing data subjects of all categories of persons who may receive their data transfers.
The PCPD has provided several model contractual clauses designed to facilitate meeting these obligations, which can be found on its website and easily tailored to fit into overall commercial arrangements in question. They may take form as separate agreements, schedules to a main commercial agreement, or contractual provisions within it; their form does not matter; their substance and content do.
Though a review of the PDPO is being proposed, businesses should remain cognisant of its current framework and any implications of any potential changes. If the definition of personal data changes significantly, more companies could become subject to data-related laws; increasing regulatory risk and necessitating more comprehensive compliance measures – particularly among companies using technologies which examine an individual’s behavior or process information which impacts upon them as such uses may fall within its purview.