No matter if you’re conducting business abroad or moving data across your organisation, understanding its impact on privacy compliance is of critical importance. Padraig Walsh from Tanner De Witt data HK’s team walks readers through some key factors to keep in mind prior, during, and post data transfer.
Data transfers generally can only take place with the explicit and voluntary consent of data subjects, as stipulated in the PDPO. Furthermore, persons collecting personal data cannot share it with anyone outside their PICS without first seeking their approval and receiving consent for each transfer; hence the importance for businesses of reviewing their PICS before engaging in any data transfer activities.
PDPO also places several restrictions on data transfers, including requirements that lawful bases be established and that any transfer necessary for fulfilling its purposes be completed before taking place. These constraints apply both locally in Hong Kong as well as outside its boundaries.
When contemplating any personal data transfers, it is crucial to keep in mind the definition of “personal data” laid out by the PDPO. This definition broadly encompasses any information which relates to an identifiable individual that could potentially allow for their identification; this may include data that does not identify an individual explicitly like photographs of crowds at concerts that do not identify individuals, CCTV recordings of persons entering car parks and records of meetings which do not explicitly identify speakers or attendees.
If a personal data transfer takes place, then the data exporter must conduct a transfer impact analysis and implement measures to bring protection levels in the destination jurisdiction to those required by PDPO. Supplementary measures could include technical or contractual solutions; technical measures include encryption, anonymisation or pseudonymisation while contractual ones could include audit and inspection obligations, beach notification obligations as well as compliance support and co-operation measures.
Hong Kong businesses will increasingly face situations that require them to conduct a transfer impact assessment and/or agree standard contractual clauses as part of data transfers from Europe or elsewhere, particularly where data originates in EEA countries. Furthermore, with mainland China’s rapid transition as an independent legal jurisdiction under the one country two systems principle, an increasing volume of personal data will transfer between Hong Kong and mainland China; consequently PDPO requirements regarding data transfers must be reviewed accordingly as this volume grows.