Data is at the core of modern economies, and Hong Kong’s position as a regional trading and logistics hub creates great demand for secure data centre facilities to meet our pillar industries and other emerging service sectors. But cross-border data flow poses unique challenges; due to new data protection laws emerging across different jurisdictions it has become harder than ever before to transfer personal information cross-border even with good intentions in mind.
Hong Kong businesses will increasingly require conducting a transfer impact assessment due to being subject to laws in other jurisdictions, most frequently when moving personal data between EU member countries and Hong Kong (or vice versa) that regulate operations under local laws.
Transfer impact analyses are not required under PDPO, but PCPD strongly suggests conducting them. The assessment should identify whether the transfer is lawful and what additional steps could be taken to bring protection provided by foreign jurisdiction’s laws or practices up to Hong Kong standards; such measures might include technical or contractual solutions.
Importantly, an essential aspect of assessing transferred data is establishing whether it falls within the definition of personal data in the PDPO. This definition is very broad and hasn’t been updated since 1996 when the law first came into force, when it reflected international norms. It encompasses any information pertaining to an identifiable natural person which includes their name, identification number and location data as well as details related to physical, physiological, genetic, mental, economic cultural and social identity factors that make up their identity.
Once a transfer impact assessment is complete, data exporters must identify and implement any supplementary measures necessary. Usually this involves revisiting information in their PICS to see if any can be classified as personal data and to assess whether any new purposes require consent of data subjects – a considerably easier step in Hong Kong compared with GDPR requirements for full assessment of such purposes.
Data exporters must take steps to comply with any adverse findings in their assessment, or face being instructed to suspend transfer. Sometimes they may even be able to continue without taking additional measures; this depends on several factors including size of data pool being transferred and likelihood that such data contains sensitive personal data.
The PDPO contains two sets of recommended model clauses to facilitate data transfers between data users. One set focuses on transfers from Hong Kong entities to foreign operators while the other addresses intra-Hong Kong data transfer activity. Contracts covering data transfers should incorporate these clauses as addenda or stand-in agreements alongside their primary commercial arrangements.