Hong Kong is a leading global centre for cross-border data transfers. This is particularly true for data flows to and from mainland China, where it serves as a strategic digital infrastructure foothold in one of the world’s most carrier-dense network hubs. The volume of this flow will only increase as Hong Kong and mainland China integrate further in business, social life and other activities under the “one country, two systems” principle of the Sino-Hong Kong relationship.
It is important for businesses to understand and follow the rules that apply in these circumstances. In particular, the PDPO requires all data users to obtain the “voluntary and express consent” of the person whose personal data they are collecting, before it can be transferred to another data user or used for a different purpose.
This requirement is also a condition for the grant of an adequacy certificate under the EDPS. However, a business that is not an EDPS data exporter is unlikely to be required to comply with this provision under the PDPO. This is because the PDPO provides that the “controller” of data (which in practice means any person that controls the collection, holding or processing of personal data) is liable for any breach of the PDPO committed by its agent or contractor.
The PDPO also contains specific provisions relating to the transfer of personal data abroad. These include the requirement for a data user to notify the data subject of the transfer of their personal data, and where appropriate, to seek their “voluntary and express consent”. This is intended to ensure that the data subjects of the transferred data are aware of the purpose for which it will be used and the risks involved in the transfer.
Furthermore, the PDPO requires that a data user must take such steps as are reasonable in the circumstances to ensure that any foreign data processor is bound by the requirements of the PDPO, including the requirement to implement appropriate technical and organisational measures to protect the security of personal data being transferred. This is an important provision and is likely to be a condition of any agreement that a data user enters into with a foreign data processor.
The PCPD has issued guidance on cross-border data transfers and recommended model contractual clauses to be included in data transfer agreements. The PCPD has also been a contributor to an international study on data transfers which is being compiled for the European Union. The results of this study are due in mid-2020, and it is likely that the European Commission will then adopt a new set of guidelines on adequacy certificates for data exporters to be approved by EU member states. These are likely to provide a clearer framework for the assessment of the adequacy of data protection laws in jurisdictions outside the EEA. This will likely result in an increase in the burden on businesses that are transferring personal data across borders, as well as an increased number of enquiries from the European Commission and other EU member states.