If you are planning to transfer personal data outside of Hong Kong, there is now a lot of useful information available to assist you. For example, the PCPD has published detailed guidance on cross-border transfers and recommended model clauses that can be included in contracts dealing with such transfers. Furthermore, it is possible to contribute to a transfer impact assessment where you are a data exporter who transfers the personal data of EEA individuals to a data importer in the EEA.
The PDPO defines “personal data” to include any information relating to an identifiable individual. This definition is in line with international norms – it is similar to the term used in other legislative regimes such as the Personal Information Protection Law that applies in mainland China and the General Data Protection Regulation that applies in the European Economic Area. This means that you may need to amend your policies and processes if you wish to comply with the PDPO requirements in respect of transferring personal data abroad.
In many cases, it is not possible to transfer personal data without compliance with the PDPO rules. However, it is important to understand the boundaries of what is within and beyond scope so that you can make informed decisions about your business requirements. For instance, the PDPO does not apply to any person who does not have any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong. This test is more accurate than the common misguided interpretation that extraterritorial scope extends to all data privacy laws in force anywhere in the world.
Another key consideration is whether the data is actually personal data. In this regard, the PDPO includes a requirement for data users to notify a data subject on or before the collection of their personal data about the classes of persons to whom the personal data will be transferred (DPP 1 and DPP 3). However, if your organisation collects personal data that is not related to an identified individual, then you are not required to provide the notification.
In conclusion, there is a growing need for an efficient and reliable legal basis for the transfer of personal data between Hong Kong and mainland China. As the ‘one country, two systems’ principle deepens integration with mainland China, the volume of data transferred will increase and this will drive change in relation to data transfer provisions under the PDPO. If this happens, it is quite possible that section 33 will be repealed in favour of a more streamlined approach. Nevertheless, we will continue to monitor the situation closely and will update this article as appropriate. For now, we recommend that you take the time to consider your data transfer arrangements carefully and consult with a professional advisor where necessary. Best of luck!