How to Comply With the PDPO for Cross-Border Data Transfers in Hong Kong

How to Comply With the PDPO for Cross-Border Data Transfers in Hong Kong

Padraig Walsh from Tanner De Witt

With increased cross-border data flow a key element of the business landscape, efficient compliance with the requirements for data transfers is essential. Padraig Walsh, Senior Associate in the Data Privacy practice at Tanner De Witt, looks at some key points to consider.

The starting point is to clarify the definition of ‘data user’. The PDPO defines ‘data user’ as a person who controls the collection, holding, processing or use of personal data. A data user must fulfil a range of statutory obligations (including the six DPPs) when processing personal data, regardless of where in the world it is located. As a result, even if the transferring entity is not a data user under the PDPO, an assessment of the impact on data subjects must still be carried out.

Once this is done, the next step is to identify any possible legal basis for a transfer. This can be a review of the data user’s Personal Information Collection Statement (PICS) to determine whether it has explicitly informed data subjects that transfer may take place and what classes of persons it may be transferred to. Transfer to a class of persons other than those specified in the PICS will require the voluntary and express consent of the data subject.

If a lawful basis is identified, the next step is to conduct a transfer impact assessment. This is similar to the GDPR’s adequacy assessment but is less onerous in Hong Kong. The purpose is to assess the ability of the importing jurisdiction to ensure the protection of personal data in line with Hong Kong standards. In cases where an adverse transfer impact assessment is found, the data exporter must suspend the transfer or implement supplementary measures. These might include technical measures such as encryption or pseudonymisation; or contractual provisions such as audit, inspection and reporting, beach notification and compliance support and co-operation.

The final consideration is whether the data relates to a living individual. This is a key factor given that the PDPO defines personal data as information relating to an identifiable natural person and includes the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. The concept of ‘identifiability’ is broadly interpreted, and there are a number of exemptions from the PDPO’s access and use limitations, including in relation to safeguarding Hong Kong’s security, defence and international relations; crime prevention or detection; taxation assessments; and due diligence exercises.

In light of the above, there is a clear need to understand how data hk works in practice and what protections are available for cross-border transfers from Hong Kong. There are significant and onerous obligations for data users to comply with when transferring data outside the territory, and extensive guidance exists to help them meet those obligations. Those obligations can be fulfilled through contracts – which might be standalone agreements, schedules to main commercial arrangements or contractual provisions within the overall commercial arrangements – but in the end the form does not matter; the substance does.