Personal Data Exported From Hong Kong Under the PDPO
Many data privacy regimes include some form of extra-territorial application. However, the PDPO only extends to personal data that is collected by or processed in Hong Kong by a person who is defined as a “data user”. The definition of data user is very broad and encompasses any individual or entity who controls any aspect of the collection, holding, processing or use of personal information.
The PCPD also requires that a data user expressly informs a data subject on or before the collection of personal data of the purposes for which it is intended to be used, as well as the classes of persons to whom the data may be transferred. This obligation to expressly notify the data subject is fulfilled by means of a PICS, which must be provided to each individual at the time of collection. The PICS must also contain the name or job title, and address of the individual who will handle any request for transfer of personal data.
Once an organization has the necessary PICS in place, it is relatively easy to satisfy the obligations for the transfer of personal data under the PDPO. If a business intends to transfer personal data from Hong Kong to another jurisdiction, it should carry out a “transfer impact assessment” of the foreign jurisdiction in order to verify that the law is adequate. A transfer impact assessment is not mandatory under the PDPO, but there are a growing number of circumstances in which businesses will need to engage in one in order to facilitate a personal data transfer.
This is because the PDPO defines personal data as any information relating to an identified or identifiable natural person. A significant amount of the information transferred by data users will be personal data, even if it is not personally identifiable.
If the data exporter’s transfer impact assessment reveals that the foreign jurisdiction’s legislation and practices are not adequate, it will be necessary for the data exporter to take supplementary measures before transferring the personal data. These might involve technical measures such as encryption or pseudonymisation, or contractual provisions imposing obligations on audit, inspection and reporting, beach notification and compliance support and co-operation.
The PCPD has published a set of recommended model contractual clauses, which are designed to accommodate two scenarios, namely the transfer of personal data between a data user and its own data processor, and the transfer of personal data between two entities both of which are data users. In these models, the data processor must undertake not to process or hold the transferred personal data in any place outside Hong Kong other than places agreed with the data user. In addition, the data processor must not disclose any of the transferred personal data to anyone without the consent of the data user. In addition to these provisions, the data processor must also impose a series of other security and safeguards on the transferred personal data that are similar to those required under the PDPO.