Hong Kong, as an international financial centre, promotes cross-border trade and business. Therefore, data transfers are an integral component of doing business both in Hong Kong and across borders; Tanner De Witt’s Data Privacy Practice Group uses regulation on this form of data transfer as one means of overseeing this activity and is an area of key interest for Tanner De Witt.
No matter the nature or purpose of the data being transferred – from personal to technical/operational data transfer regulations – every aspect must be treated with due care to ensure compliance. Padraig Walsh from our Data Privacy practice group explores some key considerations when handling personal data transfers between Hong Kong and overseas locations.
At its inception, Hong Kong’s Personal Data Protection Ordinance (PDPO) placed great emphasis on protecting personal information by restricting its transfer outside its origin jurisdiction. Indeed, section 33 was specifically written to prevent outbound transfers unless certain requirements were fulfilled – an approach followed by other jurisdictions pioneering modern data privacy legislation.
Since 2004, the definition of personal data in the PDPO has not been modified despite updates in other legislation (such as mainland China’s PIPL or Europe’s GDPR). According to this legislation, “personal data” refers to information pertaining to an identified or identifiable person and includes activities such as taking photographs at concerts, recording CCTV footage in public places, logging attendance of speakers/participants at meetings and creating lists of car park users.
General, data users should inform data subjects prior to collecting their personal information of its purpose and possible recipients; any subsequent modifications in use require prior consent from data subjects.
Hong Kong data exporters face onerous obligations when sending personal data abroad, and there is extensive guidance on how to meet them. Typically, these obligations will be stated either separately in agreements or contractual provisions of main commercial arrangements – the format doesn’t matter as much; what matters is how these obligations are implemented. A data exporter should seek advice before agreeing to standard contractual clauses proposed by EEA data exporters under GDPR that might be enforceable in Hong Kong.