When dealing with personal data transfers across businesses, it is important to understand how a jurisdiction interprets key concepts in its law. This is particularly true in Hong Kong. Padraig Walsh from Tanner De Witt’s Data Privacy practice group takes us through the issues to be considered when transferring data from Hong Kong to elsewhere, or from other locations into Hong Kong.
The key consideration is whether or not the PDPO and its associated PDPPs will apply to a particular data transfer. As a general rule, the PDPO will only apply to data transfers where the data user has operations which control collection, holding, processing or use of personal data in, or from Hong Kong. This test may seem relatively straightforward but it is not always easy to determine whether a transfer will fall within the scope of the PDPO.
A good place to start is to consider whether the data is personal data. The PDPO defines ‘personal data’ as information that identifies a living individual. This is a very wide definition and it will often include information such as name, contact details, salary, credit records and medical or health records. In some cases, however, such information may not be considered to be personal data in the context of a particular contract or arrangement. The best approach in this respect is to refer to the specific contractual terms or arrangement and to consider whether it falls within the scope of the PDPO.
Once it is determined that the PDPO applies to a particular transfer, there are a number of obligations which must be fulfilled. For example, a data user must ensure that it has appropriate contracts in place with any third party which will govern the transfer and which will impose safeguards to protect the personal data transferred. These contracts must incorporate one of the PDPO’s recommended model clauses.
One of the more significant requirements is to carry out a transfer impact assessment. This will typically only be required in circumstances where the transfer involves a large volume of data and/or where it will involve a change to the purpose for which the personal data was originally collected. Unlike many other jurisdictions, the scope of the PDPO does not extend to require a transfer impact assessment where only small quantities of data are being transferred.
In the short term, Hong Kong’s position on section 33 will seem out of step with international trends in favour of adequacy or equivalent regimes for cross-border data transfer. However, the increasing volume of data transfers between Hong Kong and mainland China under the “one country, two systems” principle will likely drive change. As such, the need for an efficient and reliable legal mechanism to facilitate such transfers will continue to grow. TD SYNNEX is the leading global distributor and solutions aggregator for the IT ecosystem, uniting compelling technology products, services and solutions from 1,500+ best-in-class vendors. Headquartered in Clearwater, Florida and Fremont, California, TD SYNNEX and its 23,500 employees worldwide help customers maximize their IT investments, demonstrate business outcomes and unlock growth opportunities.