Data HK – A Guide to Transferring Personal Data Outside Hong Kong
Data hk is Equinix’s industry-leading blog covering topics like data center trends, global regulatory updates and digital supply chain challenges. The goal of Data hk is to provide customers and the wider business community with helpful guidance and advice.
Hong Kong law contains several requirements when it comes to international data transfers, including section 33 of the Personal Data Protection Ordinance (“PDPO”). According to this provision, transfers outside Hong Kong cannot occur without first satisfying officials that their destination jurisdiction will provide adequate protection of personal data transferred abroad.
To fulfill this obligation, data exporters must either conduct or collaborate in conducting a transfer impact assessment of any foreign jurisdiction that will export personal data under PDPO – this assessment seeks to ascertain if its laws, practices and policies comply with each of the four essential data protection guarantees; including right of information and access requirements.
An adverse transfer impact assessment may require data exporters to either suspend or implement adequate supplementary measures for data transfers to foreign jurisdictions, which include safeguards that bring their level of protection up to Hong Kong standards. Supplementary measures include technical solutions (e.g. encryption or pseudonymisation), contractual provisions imposing obligations on audit and inspection activities, beach notification notification services and compliance support and cooperation mechanisms.
At the core, it is up to every data exporter to decide whether or not they comply with section 33 requirements, and conduct a transfer impact analysis when necessary. Doing business internationally often necessitates this practice.
An increasing trend among companies is their participation in transfer impact assessments when exporting personal data to or from an EEA country as part of customer transactions.
An impact analysis should only be carried out if a foreign jurisdiction’s laws, practices and policies do not guarantee compliance with the four essential guarantees for data protection under the PDP or it would be difficult to achieve those standards through contractual mechanisms alone. As businesses are obliged to comply with data protection measures, it is crucial for them to remember these safeguards exist and do so wherever possible. Not only will this aid them in fulfilling their obligations but will also help build and retain the trust of data subjects. Maintaining and strengthening Hong Kong’s data economy are integral to its global competitiveness, so the PCPD has published model clauses for inclusion in cross-border transfer contracts that should serve as an ideal starting point for companies wishing to comply with section 33 requirements.