Do I Need to Conduct a Transfer Impact Assessment When I Transfer Personal Data Outside of Hong Kong?

Many Hong Kong businesses will need to conduct a transfer impact assessment when they export personal data to a place outside Hong Kong. A transfer impact assessment is a review of the level of protection available to data subjects under the laws of a jurisdiction. It is not a legal requirement but it has become increasingly common as part of best practice and ethical standards for businesses when managing their governance of personal data. It is also becoming a necessary step when dealing with the laws of other jurisdictions that do not meet international standards. This is often the case when dealing with the laws of the European Union.

The PCPD has issued extensive guidance on how to carry out a transfer impact assessment. This is intended to be practical and user-friendly and allows for flexibility in how the assessment is conducted to fit into the overall commercial arrangements of a business. This can be done through separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial arrangement. It is not intended to be an onerous or arduous process and in fact is markedly less onerous than the GDPR requirements that apply to data transfers from the EU to the United States.

In any event, a data transfer impact assessment is only one of a number of obligations that a data user has when dealing with the processing of personal data. A data user must still comply with the six core data obligations that form the core of data privacy law in Hong Kong. This includes a requirement to provide a Personal Information Collection Statement to every data subject whose data is collected, and where a purpose of use has been changed then the prescribed consent of the data subject will be required before any change can be made (DPP 3).

A statutory requirement that a data user must identify and adopt supplementary measures to bring up to standards in a foreign jurisdiction the handling of personal data transferred to it from Hong Kong (DPP 8) and the requirement to document and keep records of all data transfers (DPP 7).

Increased cross-border data flow was at the forefront of policy considerations when the PDPO was formulated and facilitating the free movement of personal data was seen as an essential element in promoting business development. However, business concerns regarding the perceived negative impact on business operations and the difficulty and cost of compliance led to resistance to implementing section 33 in Hong Kong. It now looks increasingly likely that this provision will never come into force in Hong Kong.