Data Hk – How Personal Data May Be Transferred Outside of Hong Kong

Data hk is an index of the openness of Hong Kong’s data infrastructure. The initiative was launched to reveal achievements and identify challenges in the city’s data management. It builds on 19 sets of established open data principles and assessment tools at international and regional levels to introduce best practices to Hong Kong.

In short, a data user may transfer personal data outside of Hong Kong only if it can rely on one or more of the following:

The first is a specific exemption in the PDPO which excludes the collection of sensitive personal information from the definition of personal data (DPP 3). This exemption is intended to allow the free flow of personal financial details which is so important to our economy. The second is the statutory requirement in the PDPO to obtain the voluntary and express consent of the data subject prior to transferring personal data outside Hong Kong (DPP 1(3)). This is designed to avoid the risk that a transfer could be deemed unlawful.

A third is the statutory requirement in the PDPO that any contract entered into between a data user and a foreign data importer contains the required provisions for complying with the PDPO (DPP 6). The prevailing view in Hong Kong is that these requirements are sufficient to ensure that a data transfer does not infringe the PDPO.

However, there are a growing number of situations in which the PDPO requires a data exporter to undertake a transfer impact assessment (DPP 7). This is particularly true for companies that offer goods or services to, or monitor the behaviour of, data subjects in the European Economic Area (EEA) or elsewhere.

There are also a number of situations where a business must undertake a transfer impact assessment because of the laws of another jurisdiction. For example, GDPR requires any company that offers goods or services to data subjects in the EEA to perform a transfer impact assessment prior to transferring any of their personal data to the EU.

The PCPD has published two sets of recommended model contractual clauses to facilitate compliance with the PDPO in these situations. These models can be included either as separate agreements or as schedules to a commercial agreement. The model clauses are designed to cover a range of scenarios, including the transfer of personal data from a data user to a data processor; and the transfer of personal data between entities both of which are outside of Hong Kong when the transfers are controlled by a data user in Hong Kong.

It is interesting to note that the Hong Kong position on adequacy or equivalent regimes is at odds with the general trend in many other countries. This may reflect the fact that the broader business community believes that the current legal framework is adequate to protect personal data in Hong Kong and that, moreover, the practical challenges of implementing an adequacy or equivalent regime are considerable. In the longer term, though, it is likely that the need for efficient and reliable means of transferring data to mainland China and internationally will drive change.