Personal Data Transfers From Hong Kong to China
The volume of cross-border personal data transfers from Hong Kong continues to increase as mainland China becomes more integrated with Hong Kong business and social life under the “one country, two systems” principle. This has prompted a renewed focus on section 33 of the Hong Kong PDPO and its related obligations for data users to fulfil. In addition, there is a growing number of circumstances in which it will be necessary to conduct a transfer impact assessment under section 65 of the PDPO where data is exported to a jurisdiction that does not have laws or practices comparable with those of Hong Kong.
The PDPO defines a data user as a person who controls the collection, holding, processing or use of personal data. It also requires that a data user only collects personal data for lawful purposes and that the information collected is adequate but not excessive in relation to the purpose. This means that a photographer taking photographs of people at an outdoor event does not need to seek consent from those individuals in order to take the photograph because it is lawful (provided, of course, that the photographers are not trying to identify specific people). This principle also applies to CCTV recordings, logs of persons entering car parks and records of meetings where it may be possible to identify speakers or participants, even though such information is not being collected with a view to identifying anyone.
A transfer impact assessment is not mandatory under the PDPO, but there are a growing number of cases where a business needs to consider one, particularly in the context of increased cross-border personal data transfers from Hong Kong to mainland China under the “one country, two systems” policy. Generally, a transfer impact assessment will involve a comparison of the laws of the jurisdiction to which the data is being exported with those of Hong Kong, and a determination of whether or not the legislation and practices of the destination jurisdiction would allow for the protections provided by the PDPO and its DPPs.
Generally, the assessment will identify any supplementary measures that will need to be adopted in order to bring the level of data protection in the destination jurisdiction up to Hong Kong standards, including technical and contractual measures. The latter might include additional safeguards such as encryption, anonymisation or pseudonymisation, and the inclusion of provisions requiring audit, inspection and reporting, beach notification and compliance support and co-operation.
Finally, a consideration of the likelihood that the recipient jurisdiction will enforce any legal remedies available to data subjects should be made as well as a review of the potential costs involved in seeking enforcement. The PCPD has published recommended model clauses to be included in contracts dealing with the transfer of personal data, which cover two scenarios – a data user to data user transfer and a data processor to data user transfer. These can be inserted into separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial arrangement itself.