Data hk is a library database that aggregates statistics, reports and forecasts from market research organizations, businesses and governments. It covers markets, industries and consumers worldwide. It also provides trend analyses, free publications and blogs. Its website is accessible at https://datahk.gov.hk/en/.
When Hong Kong first enacted its modern data privacy laws, section 33 was intended to control the flow of personal information across borders. Its implementation, however, was pushed to the side because of business concerns about the impact on international business and the cost of compliance. It was a case of ‘if it ain’t broke, don’t fix it’.
The PCPD has now moved to re-focus its attention on implementing the provisions of section 33. The reason is the increased cross-border flow of personal information resulting from technological advancements. In addition, the PCPD’s broader view is that there has been a shift in global business attitudes to protecting personal privacy.
A key aspect of the PCPD’s approach to implementing section 33 is to focus on the data users’ obligations arising out of collection, processing and use of personal information. Its guidance for a transfer impact assessment has been designed to be minimally onerous and flexible enough to accommodate business arrangements. These can be structured in the form of separate agreements, schedules to main commercial agreements or contractual provisions within the main commercial arrangements.
As a general rule, the PCPD’s assessment will only identify the need for supplementary measures where the level of protection provided in the foreign jurisdiction falls short of the standards required by the PDPO. Such supplementary measures could include technical measures (such as encryption, anonymisation or pseudonymisation) and/or contractual measures (such as requirements for audit, inspection and reporting, beach notification, and compliance support and co-operation).
It is important to note that in any circumstance where a personal data transfer is made by a Hong Kong data user, the obligation to comply with a request for disclosure of that data under relevant law will remain in force. This is a fundamental element of the PCPD’s approach to the application of the laws of Hong Kong and is consistent with the approach taken by other jurisdictions.
The PCPD has published recommended model clauses that a data exporter can use in its contracts with a data importer. These model clauses are based on the standard contractual clauses drafted under GDPR. In addition to these, the PCPD may suggest other specific provisions if it believes that they are necessary or desirable. In the context of EEA data exporters, this will often include an agreement by the data importer to submit to the jurisdiction of and to cooperate with the competent supervisory authority of the data exporter in respect of any procedures aimed at ensuring compliance with those clauses.