Data hk is the website of the Hong Kong Privacy Commissioner for Personal Data (PCPD). It contains helpful guidance, including the PCPD’s recommended model contractual clauses for the transfer of personal data from a data user to a data processor and between two entities both controlled by a data user.
The PCPD’s model contractual clauses set out obligations on both the transferring entity and the data processor to ensure that the transferred personal data is not used, in any way other than those agreed with the data subject, for purposes that are incompatible with the original purpose of collection and that the transferred personal data is retained only for so long as is necessary for those purposes. This is a sensible and well-crafted provision that will help data transfers to comply with the requirements of the PDPO.
The PDPO requires the transferring entity to expressly inform a data subject, on or before the collection of his personal data, of the purposes for which the personal data will be used and the classes of persons to whom the personal data may be transferred. As a matter of principle, this must be done before the transfer of the personal data. However, the PDPO allows an exception where it is not feasible for the transferring entity to notify every data subject individually.
In this situation, the transferring entity is required to prepare and implement adequate supplementary measures in order to bring the level of protection of the personal data up to Hong Kong standards. The supplementary measures should take account of the nature of the personal data being transferred and any relevant factors in the destination jurisdiction, such as laws, practices, policies, and oversight mechanisms.
Unless a supplemental assessment is undertaken, the transferring entity must agree to the standard contractual clauses proposed by the EEA data exporter and, in the case of an EEA-to-Hong Kong transfer, must contribute to the conduct of a transfer impact assessment in connection with that transfer. This is a significant and burdensome requirement for a business.
Whether it is a data transfer from Mainland China to Hong Kong, or a transfer from Hong Kong to other locations around the world, the need for efficient compliance with data transfer regulation is growing. This is particularly so given the deep integration of Hong Kong with mainland China under the “one country, two systems” arrangement. In this context, it will be interesting to see how Hong Kong’s position in relation to adequacy and equivalent regimes evolves over time. Padraig Walsh is a Partner in the Data Privacy practice group of Tanner De Witt in Hong Kong. He has extensive experience in dealing with cross-border personal data transfers. He regularly advises clients on data protection issues and the use of appropriate legal safeguards for the transfer of personal data overseas. He also leads the firm’s Hong Kong-China practice. His areas of specialisation include cross-border data transfers and e-commerce law. He is a Fellow of the Chartered Institute of Privacy Practitioners.