Data protection is of great concern for many organisations. From businesses transferring their data internationally to individuals embarking on careers in big data or machine learning, there are a range of regulatory considerations you should be mindful of when transferring it across borders. Padraig Walsh from our Data Privacy team at Tanner De Witt offers some key points about cross-border data transfers.
Key is the question of whether your data constitutes personal information, defined under PDPO as “information relating to an identifiable or identifiable individual”. This could include names, addresses and telephone numbers – though not IP addresses or any other form of online identification.
PDPO mandates both the collection and use of personal data, with one of its requirements requiring data subjects to be informed prior to providing any personal data on or before its collection about its intended uses and classes of persons to whom their data may be transferred. Reworking of PICS is currently underway, with one proposed change including expanding transferee eligibility so as to include any person or entity which could reasonably be expected to process or utilize such personal data similarly as its original user.
As part of its obligations under DPP 5, data users have an obligation to take reasonable steps to ensure personal data is only retained as long as necessary for its original purpose. This may involve taking measures such as deleting it once no longer required (DPP 5). Unfortunately, no minimum or uniform period is specified by PDPO; thus making it hard for data subjects to ascertain exactly when certain information should be deleted by data users without guidance from legislation.
Remind yourself that the PDPO does not impose statutory restrictions on the transfer of personal data outside Hong Kong. However, other safeguards exist for transfers of personal data; among these is the PCPD’s recommendation of model contractual clauses to include in contracts involving personal data transfers. As part of their dedication to good data ethics, Hong Kong data exporters should adhere to principles of data transparency by notifying data subjects of any overseas transfer that could occur and complying efficiently with data transfer requirements. Doing this will reduce business risk while simultaneously improving compliance rates.