The privacy laws of many jurisdictions impose obligations on data users relating to the cross-border transfer of personal data. These are often called “transfer impact assessments”. This article by Padraig Walsh from the Tanner De Witt data privacy practice explores some key points to note when dealing with this issue.
First, a person must determine whether or not they are a “data user”. A data “user” is someone who controls the collection, holding, processing or use of personal data in Hong Kong, or who transfers such information to Hong Kong. This includes a person who operates a business in the territory, offers goods or services to data subjects in the territory, monitors the behaviour of data subjects in the territory (such as tracking people on the internet), or otherwise controls such activities.
A key factor in this determination is whether or not the data being transferred relates to a particular identifiable individual. In the context of data transfers to Hong Kong, the Personal Data Protection Policy (“PDPO”) defines “personal data” as data that relates to an identified or identifiable natural person, and that is about that individual or that individual’s activity. This definition is more restrictive than the one in the European Union’s General Data Protection Regulation (“GDPR”).
Generally speaking, if the data being transferred does not relate to an identifiable individual, it cannot be considered personal data and therefore the obligations of the PDPO in respect of its transfer impact assessment do not arise. This is especially the case if the data being transferred is not in a form that can be readily recognised as belonging to a particular individual, such as a name, address, email or mobile phone number.
If the data being transferred does relate to an identifiable individual, the PDPO imposes a series of significant and onerous obligations upon the data user prior to any transfer. These include the obligation to comply with the six core DPPs (DPP 1–6), a requirement to expressly inform a data subject on or before collecting personal data of the purposes for which the data is intended to be used and of the classes of persons to whom it may be transferred (“DPP 2”), a prohibition on using or disclosing personal data where the purposes have changed (DPP 7), and a requirement to adopt contractual or other measures to prevent the loss, unauthorised access, unauthorised processing, erasure, destruction or disclosure of personal data when it is in the possession of a data processor outside Hong Kong (DPP 8).
In addition to these statutory obligations, there is also extensive guidance available from the PCPD on how to fulfil these obligations. For example, the PCPD recommends model contractual clauses to be adopted in respect of transfers between two data users and transfers from a data user to its data processor. These can be included in separate agreements, schedules to the main commercial arrangement, or as contractual provisions within the main commercial agreement.