Transferring Personal Data Outside Hong Kong
Unlike many other jurisdictions, Hong Kong’s data protection regime does not include a statutory restriction on the transfer of personal data outside its territory. Instead, it is possible to transfer personal data to persons who comply with the six Data Protection Principles (“DPPs”) set out in the PDPO, subject to certain conditions. The key consideration is whether the person to whom the personal data is being transferred is a “data user.” A “data user” has operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong, and therefore falls within the scope of the PDPO.
Moreover, in order to be considered a data user, the personal data must relate to an identifiable natural person. This definition has not changed since the PDPO was first enacted in 1996 and is still in line with international norms. It has been updated in other legislative regimes such as the Personal Information Protection Law that applies to mainland China and the General Data Protection Regulation that applies to the European Economic Area (“EEA”).
If a person is a data user, then he or she will have obligations under the PDPO in respect of personal data transferred overseas, including an obligation to obtain the voluntary and express consent of each data subject before transferring personal data to any class of persons not set out in the PICS. A data user must also adopt supplementary measures if an assessment reveals that the laws or practices of a foreign jurisdiction do not adequately protect personal data, including technical measures and contractual provisions imposing obligations on audit, inspection and reporting, beach notification and compliance support and co-operation.
Further, a data user must ensure that its agents and contractors comply with the DPPs. It is liable for its agents’ and contractors’ breach of the DPPs, even if they are not acting as a data user, and must implement security measures to prevent personal data being transferred abroad from being lost or used unlawfully (DPP 2 and DPP 4).
Finally, a data user must use contractual or other means to prevent personal data that has been transferred to a data processor, whether within or outside of Hong Kong, from being subject to unauthorised access, processing, erasure, loss or disclosure (DPP 2 and DPP 4).
There are a number of exemptions to the use limitations and access requirements under the PDPO, such as for the purpose of safeguarding the security of Hong Kong; facilitating its national defence and foreign policy objectives; the prevention of crime or serious improper conduct; news activities; and due diligence exercises. However, the exemptions are limited in scope and must be carefully examined in each case. In addition, the law does not preclude the transfer of personal data for other reasons, such as where it is necessary to pursue a legitimate purpose under the law of Hong Kong or the law of another jurisdiction. In such cases, a comprehensive and careful impact assessment should be undertaken.