The Hong Kong Personal Data (Privacy) Ordinance (“PDPO”) and its six data protection principles put comprehensive protection measures in place for all aspects of the lifecycle of personal data. These are augmented by a range of regulatory and enforcement powers and mechanisms, including an independent Privacy Commissioner.
The PDPO has an extra-territorial scope – meaning that it applies whether a person controls the collection, holding, processing or use of personal data within or from Hong Kong or outside Hong Kong. However, a data user cannot transfer his personal data outside Hong Kong for any new purpose without the voluntary and express consent of the data subject. This is because the PDPO includes a definition of “use” that encompasses not just disclosure but also transfer and other changes to the original purpose for which the personal data was collected.
This restriction on transferring personal data is known as section 33 and it was introduced to the PDPO in 1995 when Hong Kong led the world in modern data privacy laws. Its basic objective is to ensure that personal data transferred outside Hong Kong receives a similar level of protection as provided under the PDPO, or its equivalent.
A key element of this is ensuring that the destination jurisdiction’s laws and practices support each of the four essential guarantees of data privacy under EU law. This is what the PCPD’s recommended model contractual clauses seek to achieve.
These clauses are important for all data users and their business partners, and they apply to transfers of personal data either from a Hong Kong entity to another located abroad or between two entities both of which are outside Hong Kong but where one of them controls the transfer (or a related one) involving data relating to individuals in the European Economic Area (“EEA”).
Increasing cross-border data flow was cited as a reason for the renewed focus on implementation of section 33 back in 2014. However, resistance from the business community has been such that it now looks increasingly unlikely that implementation will be achieved.
The reason for this is that businesses view the costs of complying with section 33 and the potential impact on their business operations to outweigh any benefits. In addition, they view the reluctance of many foreign governments to impose a similar legal requirement as an additional obstacle to free and efficient data flows between their territories.
Nevertheless, the PCPD’s recommendation on standard contractual clauses remains relevant in many circumstances, and businesses that are required to agree to such clauses should consider engaging with the PCPD early on in order to be involved in the process of carrying out a transfer impact assessment. This is particularly the case where a business will be required to participate in a transfer impact assessment because it will be exporting personal data to an EEA country that has already been subject to a transfer impact assessment carried out under GDPR. This is the most common scenario in our experience.