Data HK and the PCPD

Data hk is the online hub for the Hong Kong Privacy Commissioner’s Office (PCPD). The PCPD governs data protection in Hong Kong through a set of six data protection principles.

Regulation of data transfers is an essential element of these principles and is a core component of the PCPD’s compliance regime. The PCPD publishes two sets of recommended model contractual clauses that cater for the most common scenarios involving personal data transfers in or out of Hong Kong. These are the transfer of personal data from one data user to another and the transfer of personal data from a data user to its data processor.

As with other PCPD provisions, the first consideration when contemplating a transfer of personal data is whether or not a data user actually controls the collection, holding, processing or use of personal data. A person who does not have such operations is not a data user and the PCPD’s obligations do not apply to it in respect of the transfer of personal data.

The next step is to consider the purpose of transferring personal data and the class of persons to whom it is transferred. If the purpose of a data transfer is not in line with the purposes set out in the PICS and the voluntary and express consent of the data subject has been obtained, then a PDPO exemption can be relied upon. Otherwise, the transfer is prohibited unless the class of persons to whom it is being transferred is already notified to the data subject in the PICS.

In addition to the above, a data user must have reasonable safeguards in place to protect personal data from unauthorised or accidental access, processing, erasure, loss or use. Such measures can include having in place an information security policy and ensuring that any third parties with whom personal data is shared are contractually bound to take appropriate measures to protect it. A staff card for example, which exhibits a person’s name, company name, photograph and HKID number, is likely to constitute personal data and therefore require such measures to be taken.

Lastly, data users must comply with the requirements of DPP2 and DPP4. This includes having in place contractual or other arrangements to ensure that personal data is protected against any unauthorised access or processing or from misuse or interference. This applies even where a third party is engaged as the data user has direct responsibility and liability for that third party’s compliance with the DPPs.

In short, while the Hong Kong approach to section 33 may seem out of step with international trends in establishing a global regulatory framework for cross-border data flows, it does appear that increasing business activity between Hong Kong and mainland China under the “one country, two systems” principle will drive change. As such, the need for efficient and reliable means of transferring personal data with mainland China and internationally is likely to lead to more focus on implementation of this provision.