Many businesses are aware of the significant and onerous obligations that apply to their cross-border data transfers. There is also extensive guidance available in respect of how to fulfil those obligations. The guidance can be found in the form of standalone agreements, schedules to a main commercial agreement or as contractual provisions within that main commercial arrangement. In any event, what matters is that there are arrangements in place and that those arrangements reflect the core privacy principles that Hong Kong’s data protection laws impose on personal data.
A key point to remember is that a data transfer is a form of data use and that, for most purposes, data users must comply with the six core data obligations set out in the PDPO. These include, for example, the obligation to provide a data subject with a personal information collection statement (PICS) on or before the collection of his personal data and the requirement to obtain the voluntary and express consent of a data subject to the transfer of his personal data to classes of persons other than those specified in the PICS or to use the personal data for a purpose not identified in the original PICS.
In addition, a data user must ensure that there is no unauthorised access to the personal data transferred or that such personal data is not retained indefinitely (DPP 2 and DPP 3). Finally, a data user must adopt security measures to protect the personal data that he transfers from unauthorised destruction, loss or alteration or from unauthorised modification, processing or disclosure (DPP 5) or must enter into agreements with third parties to do so (DPP 6).
There are a growing number of circumstances in which it may be necessary for a business that is a Hong Kong data importer to contribute to a transfer impact assessment undertaken by an EU data exporter. This is most likely to apply in respect of data exports from the European Economic Area (“EEA”) to Hong Kong. In those situations, the EEA data exporter will propose standard contractual clauses for the protection of personal data transferred to the importing business. The importing business will then need to consider whether to agree to the standard contractual clauses and, if so, how those clauses will be incorporated into the contractual arrangements.
The data hk website includes useful guidance in this regard. It is important to note, however, that, whilst this guidance provides a good starting point, the fact is that data privacy regulation for transfers of personal data across borders varies considerably and the precise legal position in any particular situation can only be determined by reference to the law in force at the time of any transfer. It is for that reason that it is crucial that businesses take expert advice in respect of their specific circumstances. Tanner De Witt can assist. Padraig Walsh is a member of the Data Privacy practice group and leads the firm’s international data transfer work.