Personal data transfers between different locations have become more frequent in today’s globalized business world, so Tanner De Witt’s data privacy team provides this article on key considerations when carrying out this type of transfer.
Under section 33 of the PDPO, data exporters are required to have a lawful basis for sending personal data overseas (or importing it into Hong Kong). This must be stated in their PICS document and must cover their proposed purposes of transfer. Unfortunately, however, proving this can often prove challenging when companies involved with cross-border data transfers must demonstrate how stringently foreign laws justify data transfers from Hong Kong – creating additional difficulties and hurdles to cross.
Second is the definition of personal data. Since PDPO first came into force, its definition has not been updated with current international norms regarding this term and this could reduce any doubt about what constitutes “personal data”, as well as making it easier for individuals to assert when their information has been misused.
At this stage, it is also necessary to take into account whether any supplementary measures must be implemented when an evaluation of data protection standards in a foreign jurisdiction does not match those found in Hong Kong. These may take the form of technical or contractual solutions and are an important way of protecting data subjects’ legal rights when moving their personal data across borders.
Though these issues have received little public discussion, it remains essential for data privacy experts to maintain an effective dialogue with government and regulators regarding cross-border data flows and providing an efficient and secure method of transferring personal data between jurisdictions. This is particularly relevant given rising concerns over impact of cross-border flows as well as needing an efficient mechanism for doing so.
The AMI:HK project illustrates its capacity for such dialogue to take place and we hope that this leads to further progress towards aligning Hong Kong’s definition of personal data with international norms. Given the ongoing discussions around IP addresses as personal data and whether they should be treated as such under what circumstances, our commitment is even stronger to working alongside AMI:HK partners on this critical agenda. Find out more about AMI:HK’s project and make requests by visiting their website. Currently, AMI:HK supports data access requests to eight different mobile phone and internet service providers – using it requires only minimal steps! Once completed, requests can be submitted online, via email or through post. Since launching this initiative in 2016, 1603 requests have been generated – an amazing accomplishment from such a volunteer-run initiative! We would like to extend our thanks and gratitude to everyone who has contributed to its success.