Given the increased cross-boundary data flow between Hong Kong and mainland China under the Greater Bay Area (GBA) initiative, it is crucial that compliance arrangements on personal data transfer between locations be clearly understood in order to minimise business risks. Padraig Walsh from Tanner De Witt’s Data Privacy practice group explores various considerations when it comes to moving personal information between locations.
Before engaging in personal data transfers, it is crucial to keep in mind that the PDPO defines “personal data” as information that pertains to an identifiable individual and that any transfer must adhere to its principles. This includes explicitly informing data subjects upon collection that their personal information will be used and whether any unauthorized transfer may take place as well as who the data will be shared with.
Another crucial consideration when using data is whether their activities fall under the jurisdictional scope of PDPO. While other international data privacy regimes often include some extra-territorial application, this isn’t applicable under PDPO; data users only need to comply if their operations involve all or any part of Hong Kong operations.
Where a transfer impact assessment reveals that the level of protection offered by a foreign jurisdiction does not meet the standards outlined by the PDPO, a Hong Kong data exporter must either suspend the transfer or put in place appropriate supplementary measures – these might include technical tools like encryption or pseudonymisation as well as contractual arrangements requiring audit, inspection and reporting, beach notification as well as compliance support and co-operation.
Data exporters should ensure that any additional measures they adopt are legally enforceable in their destination country and enforceable against data importers – this may involve entering into separate data sharing agreements or contractual provisions with data importers.
Data exporters must document and maintain a database to record each supplementary measure they take, accessible both to themselves and, upon request, data subjects.
Although Hong Kong’s position on section 33 may appear counter to international trends, its purpose has undoubtedly been driven by businesses’ needs for an efficient means of exchanging personal data between Hong Kong and mainland China or other locations worldwide to promote innovation hub status in Hong Kong. With increasing cross-boundary data flows likely increasing this need in coming years – we look forward to working together with global business partners in realizing this goal in future years.