Data HK – Transfers of Personal Data Outside of Hong Kong

Data hk provides access to Hong Kong public data in a centralised portal. It gathers over a million sets of information in line graphs, cross sectional plots, maps and other forms, and is updated frequently to reflect new data releases. This enables users to gain insights into real-life issues in Hong Kong, and address problems more easily by using data analytics and other tools.

A person who acquires personal data is a “data user”, and in Hong Kong, this triggers obligations to fulfil a range of statutory requirements under the PDPO (“PDPO”). This includes complying with the six DPPs that form core data obligations.

Amongst these is the requirement to disclose certain information to data subjects about the collection of their personal data before it is collected. This is commonly referred to as the PICS obligation, and it is an essential part of fulfiling a data user’s data protection duties. When it comes to transferring data outside of Hong Kong, this obligation does not typically extend to the transfer of personal data that has already been collected.

However, it is increasingly common for data users to conduct a transfer impact assessment (“TIA”) when considering a transfer of personal data that has already been collected. The TIA requires a data user to identify the level of protection offered by the law and practice in the destination jurisdiction, and consider whether the prevailing laws and practices are adequate to protect personal data in accordance with the six DPPs in the PDPO.

In addition to a TIA, a data exporter might also need to take steps to adopt or implement “supplementary measures” in order to ensure that the levels of protection afforded by the foreign law and practice meet those required under the PDPO. This might involve technical measures such as encryption or pseudonymisation, or contractual arrangements with data importers that include provisions relating to audit, inspection and reporting, beach notification, and compliance support and co-operation.

Although there is no statutory restriction on data transfers outside of Hong Kong, and it looks unlikely that section 33 will ever come into force, there is nevertheless considerable scope for businesses to be required to carry out transfer impact assessments or to agree to the standard contractual clauses. Consequently, the use of contracts to protect personal data in cross-border transfers is an important consideration for any business with global operations. Padraig Walsh, head of the data privacy group at Tanner De Witt, explains the points to consider for business planning in this context.