Cross-Border Personal Data Transfers Under the PDPO

A person who transfers personal data outside Hong Kong has significant obligations under the PDPO. In this article, Padraig Walsh from the Data Privacy practice group at Tanner De Witt examines how those obligations apply to cross-border data transfers, whether the transfer is between Hong Kong entities or between a Hong Kong entity and another company located in a different jurisdiction.

The main issue is that a data user must fulfil a range of statutory obligations that are core to privacy law in Hong Kong when collecting, using and sharing personal data. These are primarily outlined in DPP1 (Purpose and Collection) and DPP3 (Use). Those obligations include an obligation to tell data subjects of the purposes for which their personal data will be used, the classes of persons to whom their data may be transferred, and the name or job title and address of the individual responsible for any requests received from the public in relation to such information. These obligations are generally fulfilled by the provision of a PICS to the data subject at the time of the initial collection of personal data or when a request for disclosure is made.

When the original PICS is provided, it will often contain a statement that the personal data collected will be transferred to a destination outside Hong Kong. Depending on the circumstances, this is likely to constitute a notification of a cross-border transfer under DPP3. If such a transfer takes place, the data user must then fulfil a number of further obligations when it comes to dealing with the transferred data. This includes an obligation to comply with the applicable laws and regulations of the destination jurisdiction and to ensure that any third party which is processing the data receives a contract that meets the requirements of DPP4.

Section 33 of the PDPO prohibits the transfer of personal data out of Hong Kong unless certain conditions are satisfied. However, the increasing prevalence of cross-border business activity has made implementation of this section a lower priority than in the past.

One way to satisfy the conditions is for a data importer in Hong Kong to carry out a transfer impact assessment on the personal data being sent from the EEA to the Hong Kong data importer. This is generally required when a data importer agrees to standard contractual clauses proposed by the data exporter, particularly under GDPR.

A further consideration is that the PDPO requires a data user to inform a data subject if it is not possible to satisfy the requirement for an assessment (DPP5) or of the consequences if a breach were to occur in respect of a transfer of personal data (DPP6). This is also likely to be a requirement when a data importer agrees to a standard contractual clause proposed by an EEA data exporter under GDPR. The PDPO does not require that the terms of any such agreement be put in writing, but it is usually good practice to do so.