If you are considering transferring personal data from Hong Kong to another jurisdiction, or if your company already conducts such transfers, it is important to understand your rights and obligations. A recent furore over the sale of Octopus Rewards member data has prompted renewed focus on section 33 of Hong Kong’s Personal Data Protection Ordinance (PDPO). Section 33 prohibits the transfer of personal data outside Hong Kong, unless certain conditions are fulfilled. The PCPD has recently published recommended model contractual clauses that provide guidance on these requirements.
The first thing to consider is whether or not a data transfer actually takes place. PDPO defines a data user as someone who controls the collection, holding or processing of personal data, and that definition is a broad one. It includes the person who is acquiring the data, as well as the individual to whom the data relates. It also includes a person who has a contract or arrangement with a data user for the processing of personal data.
There is a lot of overlap between these groups, but the point is that if you aren’t a data user, then issues about data transfers don’t really apply to you. A key part of the PDPO requirement is that data users must expressly notify a data subject on or before collecting their personal data the purposes for which the data will be used, and that those uses must be specified in detail. This includes a clear statement of the classes of persons to whom data may be transferred.
Moreover, a data user must ensure that the data that is being transferred will receive a level of protection comparable to that provided by the PDPO. This is achieved through the use of contractual safeguards that prevent unauthorised access, processing, erasure or loss of the data during the course of a transfer. This requires that the data exporter adopt appropriate technical and organisational measures, including a data protection impact assessment, before transferring the data.
If these measures are insufficient, the data exporter must adopt contractual provisions to limit or prevent any use of the personal data by the data importer that is inconsistent with the PDPO. This is a significant safeguard that is not found in many other international data transfer regimes.
Finally, the data exporter must comply with a range of other statutory obligations if they are to comply with PDPO provisions regarding data transfers. This includes the obligation to adopt appropriate technical and organisational measures to protect the personal data that is being transferred against accidental or unlawful destruction, loss, alteration or unauthorised disclosure and the obligation to notify the data subject of any such unauthorized access, processing or disclosure (DPP 9).