Personal Data Protection in Hong Kong
In Hong Kong, personal data protection is governed by the Personal Data Protection Ordinance (“PDPO”). It establishes data subject rights and specific obligations to data controllers through six data protection principles. The PDPO came into effect in 1996, and was amended in 2012 and 2021.
One of the PDPO’s provisions is section 33, which places a statutory restriction on transferring personal data outside Hong Kong. Section 33 has been the source of considerable debate and resistance from business, largely because of the perceived burden on business operations and the difficulty of complying with it. In fact, it is beginning to look as though the implementation of section 33 may never take place.
As a result of the debate and resistance from businesses, there has been a shift in the PCPD’s approach to the issue, moving from treating it as a key policy objective that must be met, to a position where its implementation depends upon a number of factors. These factors include the need to assess whether the increased cross-border flow of personal data is creating a threat to data privacy, the cost and burden of compliance with section 33, and the extent to which it is achieving its intended purpose of ensuring that data transfers are based on enforceable legal grounds.
One factor is the increasing volume of data flows between Hong Kong and mainland China under the “one country, two systems” principle. The PCPD is evaluating these developments and the broader global regulatory framework on cross-border data flow, in order to advise the government on ways forward which best suit our local circumstances.
This includes the development of recommended model clauses, which have already been published by the PCPD for use by businesses that transfer data between Hong Kong and countries outside the EEA. The model clauses are formulated to meet the needs of data users who transfer personal data between different entities both inside and outside Hong Kong, including where the transfer involves a third party that is acting as a processor for the purposes of carrying out the processing instructions of the data user.
The proposed model clauses are also designed to be adapted (without diminishing the substantive protections) to fit within commercial arrangements that involve the sharing of personal data by data users. The model clauses can be incorporated into separate agreements, schedules to main commercial agreements or contractual provisions within the main commercial agreement.
Another factor is the growing number of occasions where a business is required to undertake a transfer impact assessment by virtue of laws of other jurisdictions. For example, a data importer from the European Economic Area (EEA) that agrees to standard contractual clauses proposed by a PDPO data exporter will be required to carry out a transfer impact assessment in order to fulfil its obligation under GDPR. In such cases, a Hong Kong business will have to rely on the application of the laws of other jurisdictions to ensure that its own obligations under PDPO are fulfilled in respect of international transfers.