In the era of increased cross-border data flow, ensuring compliance with section 33 has become more important than ever. As a result, some of the PDPO’s most significant and onerous obligations are those that relate to the transfer of personal data abroad. These can be fulfilled in a variety of ways. The PCPD has published guidance to assist data users in complying with these requirements. This includes recommended model clauses that can be inserted into contracts dealing with data transfers. The PCPD also provides assistance to businesses in conducting transfer impact assessments. This is a necessary step when the assessment reveals that a foreign jurisdiction’s legislation or practices do not meet the standards required under the PDPO.
In addition, the PDPO requires that a data user expressly inform a data subject on or before the collection of their personal information of the purposes for which it will be used and the classes of persons to whom the personal information may be transferred. This obligation must be met regardless of whether the purpose is to use the data for the original purpose or a new purpose. The PCPD has provided that such notification may be made in any form, including by email or post.
A further requirement is that a data user must agree to a standard contractual clause when it receives personal data of an EEA data subject from a data exporter in the EEA. This requirement can be imposed either by direct application of the PDPO or by the application of a data importer’s own lawful basis for processing. The model clause has been designed to be easy for small and medium-sized enterprises to use, while providing adequate protection.
In addition, the PDPO requires that the data exporter identify and adopt any supplementary measures necessary to bring the level of protection in the data importer’s jurisdiction up to Hong Kong standards. These can include technical measures such as encryption or pseudonymisation, and contractual arrangements relating to audit, inspection and reporting, beach notification, and compliance support and co-operation. The PDPO also makes clear that data exporters should consider notifying data subjects of the fact that their personal information will be transferred abroad and of the underlying reasons, as well as keeping records of efforts made to fulfil the obligations of section 33. This record-keeping can help data exporters demonstrate compliance if they are challenged by the PCPD. This is particularly important in light of the recent global privacy scandals. The PCPD has recently announced that it will review the current state of global regulatory frameworks on cross-border data transfer and communicate with data exporters and the Government about appropriate and timely measures to ensure that Hong Kong remains a competitive location for the international processing of personal information. This will include considering the need for further legislative reform to enhance Hong Kong’s compliance regime, including the need for an adequacy or equivalent regime for the free flow of data.