Data Transfer Regulations in Hong Kong

Hong Kong, one of the world’s leading financial centres, sees businesses regularly engaging in cross-border data transfers from either within Hong Kong to elsewhere, or importation from elsewhere into Hong Kong from different locations. Recognising and understanding Hong Kong’s regulatory framework surrounding these data transfers is critical for mitigating business risk and facilitating compliance across organisations – Padraig Walsh from Tanner De Witt’s Data Privacy practice group provides some key considerations here.

Hong Kong’s Personal Data Protection Ordinance (PDPO) provides individuals with basic privacy protections. It outlines rights for data subjects as well as significant obligations placed upon data users, which are summarized by six data protection principles. PDPO was initially implemented on 20 December 1996 but later revised significantly both in 2012 and 2021.

A key tenet of the PDPO is that personal data must only be collected for specific reasons and used with express authorisation by its original user. Therefore, when collecting or using personal information relating to another individual or class of individuals it must notify that person of its purpose(s), whom it will be transferred and to whom (usually via providing a PICS at or prior to time of collection).

Where a data user intends to transfer personal information to another entity, they should perform a transfer impact assessment in order to assess whether that entity’s laws and practices conform with those outlined in the Personal Data Protection Ordinance (PDPO). Although not mandated under PDPO, there will often be instances when conducting such an evaluation is necessary due to laws from other jurisdictions being applied to their activities here in Hong Kong.

Data users must take reasonable steps to ensure that foreign jurisdictions’ laws and practices align with Hong Kong’s level of personal data protection, whether through technical or contractual measures. One starting point for data exporters would be PCPD’s set of model contractual clauses which address both scenarios: transfer between data users; and between entities both located within Hong Kong when controlled by one user.

Drafting these models is ongoing and there remains some debate as to the appropriateness of certain aspects. But it’s clear that developing standard contractual clauses will aid implementation of section 33 and facilitate efficient compliance with cross-border data transfers – it will be interesting to observe their development over time.