Hong Kong is a leading international business location and a hub for global business. As such, it is often the case that companies require personal data to be transferred between entities based in different jurisdictions. This can be driven by a range of reasons such as the need to provide a service to customers in a particular country or region, or the need to undertake due diligence on potential corporate transactions. Whatever the reason, it is important to be aware of data privacy regulation that applies to these transfers in order to minimise business risk and ensure efficient compliance with applicable law. In this article, Padraig Walsh from the Data Privacy practice group at Tanner De Witt takes a look at the main points to consider with regard to personal data transfers in Hong Kong.
The key piece of data privacy regulation that applies to data transfers in Hong Kong is the Personal Data Protection Ordinance (PDPO). This sets out rights for individuals and obligations for businesses to protect personal data and regulates collection, processing, holding and use through six data protection principles.
While the PDPO does not have direct provisions in respect of cross-border data transfers, it does include recommendations on how to comply with the provisions. These are contained in two sets of recommended model clauses. The first set relates to the transfer of personal data between two entities that control the same personal data and the second relates to the transfer of personal data between one entity and its data processors. The model clauses can be included as standalone contracts, schedules to a commercial agreement or as contractual provisions within the commercial agreement itself.
For the purposes of the model clauses, a “data user” means any person who controls the collection, processing, holding or use of personal data. A “data processor” is any person who processes personal data on behalf of a data user. The model clauses make it clear that a data user is responsible for its data processor’s compliance with the PDPO and that the data processor cannot rely on the fact that the transferring data user is a legal entity in the absence of specific arrangements between the parties.
There are a number of exemptions to the use limitations and access requirements in the PDPO, including those relating to the prevention or detection of crime or serious improper conduct; the assessment or collection of any tax or duty; or the conducting of due diligence exercises. There are also a number of exceptions to the requirement that data must be processed fairly and not excessively in relation to its purpose.
It is important to remember that under the PDPO, the obligation to expressly inform data subjects of the purposes for which their personal data will be used and of the classes of persons to whom it may be transferred is an obligation that is satisfied by a declaration by the data user on or before collecting the data. This is markedly less onerous than the GDPR requirement to obtain consent in such cases.