Many business activities involving personal data take place across international boundaries. Businesses must consider how laws and regulations governing data transfers may have an effect on their overall compliance efforts and costs for complying with their obligations. Padraig Walsh from Tanner De Witt’s Data Privacy practice group addresses some key points concerning such transfers in this article.
Remembering Hong Kong law requirements governing data transfers is of utmost importance, since data transfer laws exist here. According to the Personal Data Protection Ordinance (“PDPO”), any person responsible for collecting, holding, processing or using personal data within or to Hong Kong constitutes a “data user”, while “personal data” encompasses any identifiable natural person information – consistent with what other legal regimes such as GDPR stipulate.
The PDPO requires data users to comply with various statutory obligations regarding the processing of personal data, such as meeting various safeguard requirements for any transfer abroad (DPP 6). These safeguards could include standard contractual clauses or conducting an assessment based on data subject protection levels available abroad (DPP 7).
Although the requirement to conduct a transfer impact assessment has been suspended temporarily, its importance remains clear when considering cross-border transfers of personal data. A transfer impact analysis provides an evaluation of protection levels available to data subjects in their destination jurisdiction compared with Hong Kong standards.
Once a transfer impact analysis has been conducted, the user of transferred personal data must undertake to not use or permit sub-processors to use transferred personal data outside Hong Kong in any other place than those specifically agreed with them and adhere to standard contractual clauses – either through separate agreement or as part of its main commercial agreements with data importers.
Before any data transfer takes place in Hong Kong, its exporter is often required to conduct a “data transfer review”. This involves an examination of the business case for transfer as well as discussion of proposed safeguards – often essential where sensitive personal data or public authorities are involved; but often more technical than a PICS review and can prove expensive for users of data.