The data hk campaign is an initiative of the Hong Kong Privacy Commissioner for Personal Data to raise awareness about PDPO requirements for cross-border data transfers. Padraig Walsh from Tanner De Witt’s Data Privacy practice group takes us through some key points to bear in mind for ensuring compliance with PDPO data transfer obligations when dealing with personal information that is transferred between jurisdictions, whether the transfer is from Hong Kong to another location or into Hong Kong from other locations.
PDPO obligations for the collection and use of personal data are based on DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). For example, an organisation must notify the individual of the purposes for which it is collecting their information, and if necessary, the classes of persons to whom the information will be disclosed, or otherwise use the personal information only as set out in its PICS, in accordance with applicable law. Moreover, unless exempted by law, the organisation must obtain the written consent of the individual before using their personal information for any other purpose.
While it may appear that the PDPO’s definition of personal data is broad, compared to other legislative regimes, there are a number of exemptions to its scope. These include the use of personal information for purposes such as safeguarding Hong Kong’s security, defence and international relations, crime prevention or detection, assessments and collection of tax or duty, news activities, due diligence exercises and life-threatening emergency situations. Other exclusions are the identity of a legal entity, a record of a decision made by a public authority and any other information that does not identify a particular person.
A common concern arises where a business is considering exporting personal data to a non-EEA country, and the business may have concerns about how that country’s laws will be applied in practice. In such cases, the PDPO requires that a business must carry out a transfer impact assessment before transferring personal data abroad.
Typically, the assessment will require that the data exporter implement supplementary measures to bring the level of protection in the foreign jurisdiction up to the standard required by the PDPO. Those supplementary measures may include technical measures such as encryption, pseudonymisation and split processing or contractual measures including audit, inspection and reporting, beach notification and compliance support and co-operation. Depending on the outcome of the assessment, the data exporter may also be required to agree to new standard contractual clauses for the transfer. This is a growing area of practice for us, with a wide range of businesses having to take part in such assessments. This is likely to be driven by the increased scrutiny of EEA-based legislation and the growing appetite for businesses to transfer data internationally. We will continue to monitor developments in this area.