In the context of increased cross-border data flow, it is important to understand the existing protections and the potential for change. There are a number of ways in which businesses can comply with their obligations, and also meet best practice and ethical standards when it comes to data governance.
In Hong Kong, the most obvious protection in respect of transferring personal data abroad is section 33 of the PDPO. This imposes a duty on data users to obtain the voluntary and express consent of data subjects before transferring their personal information outside Hong Kong. This is a requirement that is often incorporated into contractual arrangements between data exporters and data importers. The form of these agreements can vary, but the underlying purpose remains the same: to ensure that the data transfer will be lawful and enforceable in the destination jurisdiction.
However, it is important to note that not all data transfers are subject to this obligation. For example, if the data being transferred does not relate to an identifiable person, then it is unlikely that this will be covered by section 33 of the PDPO. This is because the definition of “personal data” in PDPO only applies to personal information which is about an identified or identifiable natural person, and does not extend to unidentified or anonymous information.
As a result, it is quite possible that a business could transfer its data without meeting the requirements of section 33. It is therefore important to carefully consider the purpose for which personal information is being collected, and also whether this data will be transferred abroad at any point in time. It is also essential to review the personal information collection statement and determine whether it contains all of the necessary elements required by PDPO.
For those who will be transferring personal data abroad, it is becoming increasingly common for the data exporter to undertake a transfer impact assessment of the destination jurisdiction. This will involve a thorough examination of the laws and regulations of the destination jurisdiction to establish their level of protection, as well as an evaluation of any safeguards which may be in place to protect the personal data of data subjects.
It is worth noting that this process can be cumbersome and time-consuming, and it may also require a degree of cooperation from the destination jurisdiction. However, if a business is required to undertake this process, it should be viewed as a valuable tool to help ensure that data transfers are conducted in accordance with the relevant data protection laws.
The repositioning of section 33 of the PDPO has been driven by a combination of factors, including the perceived adverse impact on business operations and difficulties in achieving compliance. While there are some concerns that the Government has moved away from a firm commitment to implementation, it is important for businesses to remain aware of the obligations which exist and to strive to ensure that they fulfil these obligations to the highest standard.