Having robust legal grounds for data transfers is an important part of good data ethics. Moreover, the law requires data users to adhere to principles of transparency. This includes notifying data subjects of the fact that their personal data will be transferred outside Hong Kong and explaining the underlying grounds. Additionally, data exporters should take legal advice in respect of contractual arrangements with data importers to confirm that these provisions will be enforceable in the location of the data importer.
The PCPD is keen to promote greater compliance with cross-border data transfer laws. It has published extensive guidance on the subject, including recommended model clauses that can be included in contracts. It has also contributed to a study of business impact assessments for data importers. The PCPD’s work is in line with a policy of promoting a free and open flow of data within the economy.
It is important to note that, unlike GDPR, Hong Kong’s PDPO does not apply extra-territorially. It only applies to a data user that controls all or part of its operations in, or from, Hong Kong. This is a far more stringent test than that applied by many other data privacy regimes.
Moreover, the PDPO contains stricter requirements for a data user to notify the public of a proposed transfer and to obtain the prescribed consent of data subjects. It also requires a data user to obtain the prescribed consent of a data subject for any change in purpose for which that data was collected. While this step is less onerous in Hong Kong than under GDPR, it remains a significant requirement for data users.
The PDPO requires a data user to use contractual or other means to prevent personal data transferred to data processors (whether in or out of Hong Kong) from being kept longer than is necessary for the processing of that data (DPP2 and DPP4). Furthermore, the PDPO imposes liability on a data user for its agents’ or contractors’ breach of its requirements.
The free movement of data is a critical element in the success of Hong Kong’s economy. It should continue to be encouraged. The PDPO’s current provisions, while not ideal, remain an effective tool for ensuring this. However, as the Mainland makes progress with reforming its data protection laws, it is likely that increased cross-border flows will become an inevitable part of our business life. These changes will require us to review our existing policies and to make them more robust. It is important that we do this while retaining the flexibility that allows Hong Kong to be a global leader in data protection and technology. Until that time, businesses should continue to ensure that they are fully aware of their obligations under the PDPO. They should be proactive in addressing any shortcomings in their practices. This is the best way to avoid data breaches that can have serious consequences for both customers and the business itself. It is also an opportunity to reinforce the importance of data privacy in the workplace.