Data HK – Managing Personal Data Transfers Between Jurisdictions

Data hk is a Hong Kong-based website that monitors developments in data protection, privacy and related issues. It is also a resource for businesses that want to better understand how Hong Kong law applies to their activities and what steps they might need to take to ensure compliance with Hong Kong’s laws.

Hong Kong is a significant hub of international business and there are many different scenarios that can involve the transfer of personal data between jurisdictions. As a result, there are a number of statutory obligations that need to be taken into account when undertaking such transfers. One of these is section 33 of the Personal Data Protection Ordinance (“PDPO”).

This provision prohibits the transfer of personal data outside of Hong Kong unless certain conditions are fulfilled. In particular, a Hong Kong data user must undertake a transfer impact assessment before the transfer can take place.

A transfer impact assessment is an analysis of the level of protection that would be afforded to the personal data in the destination jurisdiction. This is typically undertaken by the data exporter, but there are a growing number of circumstances where a data importer will need to conduct a transfer impact assessment in respect of personal data that they control.

It is a good practice for a data exporter to adopt the principles of transparency and notify data subjects of any transfer impact assessments that are made. In addition, it is usually a requirement that data exporters include recommended model clauses in their contractual arrangements with the data importer to govern the transfer of personal data between jurisdictions. These can be in the form of separate contracts, schedules to larger commercial agreements or contractual provisions within main commercial agreements.

There is much talk in the media and in the legal profession about the need for a modernisation of data protection laws in Hong Kong. It is certainly a matter that should be addressed, but until such time as changes are introduced, there will be ongoing requirements for businesses to be aware of and meet.

For example, the combined information on a staff card (e.g. name, HKID number, company and photo) may constitute “personal data” under the PDPO. This is not an infrequent occurrence, and it is important for such information to be protected, stored securely and used only for the purposes for which it was collected.

For instance, it is not appropriate for staff names to be publicly displayed together or for them to be made available to anyone other than those who need it in connection with the work they are carrying out. This is a simple, yet effective, way to ensure compliance with the PDPO and to limit the risk of breaches of the law (known as doxing). Such measures are also relevant for other personal data such as social security numbers and payment records. They can provide useful indicators of whether or not the PDPO’s six data protection principles are being applied correctly in the workplace.