In the context of global business, many jurisdictions have adopted policies to address data transfers. These policies have been met with mixed reactions, but with most requiring some form of prior consent for a transfer to take place. In Hong Kong, the Privacy Commissioner for Personal Data (“PCPD”) has a policy objective of ensuring that businesses comply with section 33 of the PDPO – which restricts the transfer of personal data outside the territory. However, resistance to the implementation of this policy has been significant from the business community due to perceived adverse impact on the ability to conduct business internationally, difficulties in achieving compliance and the cost of complying with the requirement.
The PCPD has published a series of guidance on this matter with recommended model clauses that can be included in contracts between data users dealing with the transfer of personal data. The recommendations do not have the force of law but are a guide to voluntary compliance. The key points are that a data user must fulfil the obligations of DPP1 (purpose and collection of personal data) and DPP3 (use of personal data) before it can transfer data abroad and that such transfers must only be for the purposes that were notified to a data subject on or before collecting their data.
A further key point is that a data user must comply with the applicable laws of the jurisdiction of the destination country, including implementing any mandatory data protection regime in that jurisdiction. This is particularly important if the data user is to comply with the standard contractual clauses proposed by EEA data exporters under GDPR, because such clauses require the data importer to submit to the jurisdiction of, and co-operate with, a competent supervisory authority established by that legislation.
The last of the key points is that a data exporter must carry out an impact assessment in respect of the transfer before it can implement any supplementary measures. If there is an adverse result of the transfer impact assessment, then the data exporter must suspend the transfer or implement adequate supplementary measures. In other circumstances, the data exporter may be able to proceed without supplementary measures if it can demonstrate that there is no reason to believe that relevant and problematic laws in the destination jurisdiction will be interpreted or applied in a way that would jeopardise the purposes for which the personal data was collected and transferred.