Data hk is a key topic for business and it’s vital that businesses understand the regulation imposed on personal data transfers to minimise risk and promote efficient compliance. In this article, Padraig Walsh from our Data Privacy practice group guides you through the points to note when a business is considering transferring personal data across borders.

PDPO Section 33

A common concern for data exporters is whether they are in breach of PDPO Section 33, which prohibits the transfer of personal data outside Hong Kong where certain conditions are not met. This section applies to a person who controls the collection, holding, processing or use of personal data (including those who transfer that data to a third party) where that activity is carried out outside Hong Kong.

The interpretation of what constitutes ‘personal data’ under PDPO is not consistent and can vary depending upon the specific context. The definition of personal data under PDPO is not in line with other data protection regimes, such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area (“EU”). It can therefore be challenging for businesses to determine whether or not they are in breach of PDPO Section33 if their intended use of the personal data does not fall within the statutory definition of personal data.

PDPO Section 34

If a data exporter has assessed that the legislation and practices of the jurisdiction into which they intend to transfer personal data do not satisfy PDPO requirements, they must implement “supplementary measures” that are designed to bring the level of protection up to those required under PDPO. These supplementary measures can take various forms and include technical or contractual arrangements. For example, technical measures might include the use of encryption or pseudonymisation, while contractual measures might include provisions on audit, inspection and reporting, beach notification, and compliance support and co-operation.

The PCPD has published guidance on cross-border data transfers, including recommended model clauses to include in contracts that deal with such transfers. The guidance is designed to be flexible and adaptable, allowing the model clauses to be inserted into separate agreements or as contractual provisions in a main commercial agreement. Ultimately, the form of the arrangement is less important than its substance and content.