The rapid growth of business operations in mainland China under the “one country, two systems” principle is a source of significant demand for efficient and reliable legal bases for data transfer between Hong Kong and the mainland. However, there are many factors which can influence the effectiveness of these legal bases. It is therefore essential to understand how personal data privacy regulation relates to cross-border data transfers to reduce business risk and promote efficient compliance. This article by Padraig Walsh from the Data Privacy practice group at Tanner De Witt takes a look at some of the key points to consider.
It should be remembered that a person acquiring personal data (a ‘data user’) will trigger a range of substantial and onerous obligations under the PDPO, including compliance with the six core data protection principles (“DPPs”). These obligations will not cease to apply to the data user even when it has transferred the personal data to a foreign destination. Consequently, the data user should ensure that there are contracts in place with data importers and processing arrangements with data processors which are compliant with the PDPO, and take steps to ensure that these arrangements comply with the PDPO’s requirements for cross-border data transfer. These arrangements can be set out in separate contracts or schedules to the main commercial agreement, or as contractual provisions within the main commercial arrangement.
As part of the PDPO, the PCPD has published recommendations for model clauses to be included in agreements relating to data transfer. The recommended model clauses are intended to cater for two scenarios: a data user transferring personal data to its data importer and a data user transferring personal data to another entity both of which are located outside Hong Kong, or between two entities both of which are located in different jurisdictions where the transfer is controlled by the Hong Kong data user.
The PCPD’s model clauses will likely be used by EEA data exporters who are relying on the adequacy/equivalence regime under GDPR for cross-border data transfers. As well as agreeing to the standard contractual clauses, a data importer will typically be required to contribute to a transfer impact assessment carried out by the EEA data exporter.
The adequacy/equivalence approach for cross-border data transfers is not without its critics, and the emergence of alternatives is one potential reason for the current lull in the PCPD’s focus on section 33. However, it looks increasingly possible that the need for efficient and reliable legal bases for data transfer will drive a revival of the PCPD’s efforts to implement this provision. We will see.