Regulation of Cross-Border Personal Data Transfers
The global economy relies on cross-border data flows for the movement of people and goods. Increasingly, those data flows involve the movement of personal information. While the free flow of personal data is a key part of our economic success, there are also risks associated with it. Those risks include the potential loss of privacy protections and the impact on individuals of laws and practices in destination jurisdictions that may not fully reflect those fundamental principles of fairness, transparency and accountability that are at the heart of EU laws.
Regulatory measures designed to safeguard privacy and promote efficient compliance data transfers are therefore essential in Hong Kong and internationally. In this article, Padraig Walsh from Tanner De Witt’s data privacy practice group explains some important points to note about the regulation of cross-border personal data transfers.
In Hong Kong, the primary source of data protection legislation is the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO establishes personal data subject rights and specific obligations to data controllers through six data protection principles. The PDPO includes an obligation to obtain the voluntary and express consent of a data subject before collecting their personal data. This obligation extends to any change of use of the personal data that is collected. This obligation can be fulfilled by providing a PICS to the data subject before making such changes.
There is a statutory restriction on the transfer of personal data outside Hong Kong, provided that certain conditions are fulfilled, through section 33 of the PDPO. However, it is becoming increasingly likely that this section will never be implemented.
A key requirement is that a data user must carry out a transfer impact assessment before exporting personal data to a foreign jurisdiction. This assessment should identify the steps that a data user will need to take (including technical and contractual measures) to bring the level of protection in the destination jurisdiction up to Hong Kong standards. This can be accomplished through a contractual clause in the transfer agreement or, more commonly, by incorporating data transfer provisions within the main commercial contract.
In the case of data transfers to the EU, there are also new standard contractual clauses. In the event that a data importer is not able to agree to these, it will be necessary to conduct a “risk-based” assessment and consider whether other regulatory or contractual steps might be appropriate in the circumstances. Ultimately, the best approach is to seek legal advice from experienced data privacy lawyers before deciding on the most appropriate route to pursue.