Hong Kong Office of the Privacy Commissioner Publishes Cross-Border Transfer Guidance

Posted: February 19, 2015

As announced on December 29, 2014, the Office of the Privacy Commissioner for Personal Data (PCPD) published the Guidance on Personal Data Protection in Cross-Border Data Transfer. The Guidance analyzes Section 33 of the Personal Data (Privacy) Ordinance (PDPO) and its impact on personal data transfers. To provide background, the language of Section 33 governs personal data collected, processed or used in Hong Kong, or personal data controlled by a data user whose principal place of business is in Hong Kong. In particular, a data user may not transfer personal data outside of Hong Kong unless one of several possible requirements is met. A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. The Guidance provides further insight into what actually constitutes a transfer, drawing a distinction from mere transit of data. One example that constitutes a transfer is when a data user engages a third party provider located outside Hong Kong to process personal data on its behalf no matter where the personal data is actually physically stored. However, sending an email to a Hong Kong recipient during which process the data is transmitted using a server located outside Hong Kong does not constitute a transfer. According to the Guidance, the PCPD will assess data protection regimes in various jurisdictions to determine if any laws in place are “substantially similar” to the PDPO. Based on that assessment, the PCPD will publish a “white list” which will constitute jurisdictions where the transfer of personal data is permissible. If a country is not on the white list, then another exception must be met before transfer will be permissible. Options under the law include obtaining consent in writing from the data subject and reasonable grounds that there is a law in place in the receiving jurisdiction that is substantially similar to the PDPO. Another exception that allows for personal data transfers is if the data user takes reasonable precautions to ensure data would not be collected, processed or used in a way that violates the PDPO. One way of fulfilling this exception is the use of model data transfer clauses which the PCPD provided as an attachment to the Guidance. As an alternative, data users may use non-contractual methods to monitor compliance, such as ensuring that the receiving entity has policies and procedures in place to safeguard data and reserving the right to audit and inspect the receiving entity. Technically Section 33 is not yet effective, meaning the provisions do not currently apply to cross-border transfers. However, the Guidance recommends that data users work now to implement appropriate procedures for when Section 33 does come into effect. When Section 33 comes into force, any data user who violates the provisions commits an offense and is susceptible to a fine of up to HK$10,000 (approximately $1,288 USD). If the PCPD issues an enforcement notice which the data user violates, the offense carries a fine and imprisonment along with a daily penalty if offenses occur after conviction.