In the past, increased cross-border data flow was regarded as the life-blood of Hong Kong’s economy and facilitating that free flow of personal information was seen as one of the core strengths of our business community. However, resistance to section 33 implementation was strong owing to perceived adverse business impact, difficulty in complying and the cost of compliance. As a result, implementation of this statutory provision has been dropped from the PCPD’s agenda for the foreseeable future.
The definition of “data user” in the PDPO includes persons who have any operations controlling the collection, holding, processing or use of personal data in, or from, Hong Kong. It is important to note that this statutory scope does not extend to mainland China which is a separate legal jurisdiction under the one country, two systems principle and its data protection laws are in transition. However, it is possible that the mainland will adopt a more comprehensive data protection regime that could potentially include some form of extra-territorial application in future.
For a data transfer to be lawful under the PDPO, it must be for one of the specified purposes and the data subject must have given his or her voluntary and express consent to the proposed transfer (DPP 2(3)). The requirement to provide a lawful basis in the PICS also applies to a transfer and that lawful basis must be based on a specified purpose that is not inconsistent with the original purpose for which the data was collected.
If the transfer impact assessment reveals that the laws and practices in the destination jurisdiction do not meet the PDPO standards, the data exporter must either suspend the personal data transfer or implement adequate supplementary measures (DPP 3(5)). Supplementary measures may include technical measures such as encryption, anonymisation and pseudonymisation, or contractual arrangements such as data-processing restrictions, beach notification and compliance support and cooperation.
An additional important consideration is that, once a data user has collected personal data and transferred it, he or she cannot re-use the data for a new purpose without the prescribed consent of the data subjects (DPP 3(6)). This is in line with the principles of PDPO and similar provisions in other legislation and would be a significant step beyond current practice.
The PCPD has published model clauses to help data exporters comply with their statutory obligations in respect of personal data transfers. As the statutory requirements for data transfers are complex, it is important for data users to seek advice on a regular basis. In the wake of the Octopus case, it is particularly important to ensure that existing and potential transfers of personal data meet the PDPO standards. If not, the data users should consider revising their policies and considering whether a fuller statutory restriction such as section 33 should be implemented. In any event, data exporters should revisit their PICS and make sure they are up-to-date and reflect the latest developments in the global regulatory framework on cross-border/boundary data flow.