Data is a set of facts or information, which can be used to describe and analyze an event, process, or system. It can be collected from a variety of sources, including publicly available government data, surveys, and reports. Data can also be retrieved from the Internet. Using tools such as spreadsheets and programming languages, data can be transformed into information that is more easily understood and interpreted.
In Hong Kong, the legal protection of personal data is governed by the Personal Data (Privacy) Ordinance (“PDPO”), which establishes data subject rights and specific obligations to data controllers through six data protection principles. While the PDPO does not contain a statutory restriction on the transfer of personal data abroad, it does stipulate that a data user must take steps to ensure that such transfers comply with the PDPO. This article will discuss the application of the PDPO to cross-border data transfers, and the use of contracts to protect personal data in such transfers.
The PDPO defines “data user” as a person who, alone or jointly or in common with others, controls the collection, holding, processing, or use of personal data. The definition is in line with international norms at the time when the PDPO was first enacted in 1996. However, the PDPO has not been updated since then and may no longer reflect current international standards.
One of the reasons why the PDPO has not been updated is because there has been resistance from business groups to doing so. This resistance has been driven in part by concerns that such a change could impact the competitiveness of Hong Kong in the global economy. Nevertheless, as the volume of data transfer between Hong Kong and mainland China increases due to deeper integration under the “one country, two systems” principle, increased pressure to update the PDPO to allow for such transfers will likely be exerted.
To address this issue, the PCPD has published a set of recommended model contractual clauses that may be used to ensure that cross-border data transfers of personal data comply with the PDPO. These model clauses can be found on the PCPD website. In addition, the PCPD has issued guidance on how to implement these model clauses. The PCPD will continue to monitor the development of the global regulatory framework on cross-border/boundary data flow, and will communicate with the government on ways forward that best suit the local circumstances in Hong Kong. These measures will help to facilitate the prompt implementation of section 33. Further, the PCPD will consider other options for data protection compliance in relation to cross-border/boundary data transfer, including an adequacy or equivalent regime. However, it is important to note that there are some limitations in the model clauses, and the use of these clauses will still require careful consideration by data users. Specifically, there are limits on the uses to which personal data can be put, and these restrictions must be taken into account when drafting the model clauses or preparing for a transfer of data.
