How to Handle Personal Data Transfers Outside of Hong Kong

As one of the keystones of digital economies, data has become an invaluable form of capital that fuels innovation. Just like an automaker can’t produce its next model without financial backing, data companies relying on user data cannot develop new applications without it as raw material for product development. Effective management practices for managing this new role for data are imperative to their success; many organizations have implemented rigorous governance practices and developed state-of-the-art management systems to maximize this resource’s use effectively.

Technology advances have presented significant challenges when it comes to protecting personal data lawfully. Privacy advocates and regulators alike are particularly alarmed about cross-border data transfers due to an increase in business activities between Hong Kong and mainland China under the “one country, two systems” principle. Hong Kong in particular has witnessed an upsurge of cross-border data flows as more business deals between these locations take place every day.

To address these concerns, the PCPD has issued guidance and model clauses regarding cross-border data transfers and advised organizations on incorporating these models into contracts involving such transfers of personal data. While the model clauses provide a good starting point to ensure transfers outside of Hong Kong comply with PDPO, other issues must also be taken into consideration to ensure effectiveness when moving personal data across jurisdictions.

A key challenge of data transfers lies in identifying which provisions of the Personal Data Protection Ordinance (PDPO) apply. As defined by this law, personal data refers to information pertaining to an identifiable natural person – for instance their name; identification number; location data; online identifiers or factors specific to physical, physiological, genetic, mental economic cultural social identities of an identifiable natural person. Under general circumstances if someone controls or likely will control collection, holding, processing or use of the personal data within Hong Kong; offers goods or services or monitors the behavior of data subjects within European Economic Area (EEA).

The PDPO provides some helpful clarifications, including its definition of “use,” which encompasses disclosure and transfer. Furthermore, this law specifically states that individuals must notify data subjects when their personal data is being transferred between organizations – an obligation which is significantly less onerous than GDPR requirements.

Furthermore, PDPO requires data exporters to keep records of any personal data transferred outside Hong Kong and to validate whether or not there is sufficient legal basis for that transfer. This record-keeping requirement echoes GDPR; however, its practical impact may be reduced because most businesses already adhere to data transparency principles as part of their commitment to data ethics; nonetheless this record-keeping obligation could still pose an obstacle in cross-border data transfers.