Day: December 6, 2024

Hong Kong is a global centre of commerce and finance. It is a key location for the regional offices and headquarters of many global corporations, driving demand for secure data centres. It also provides a platform for businesses to take advantage of the world’s leading technologies and services. The regulatory frameworks governing the protection of personal data in Hong Kong are among the most rigorous and stringent in the world. It is important to understand how these frameworks impact upon cross-border data transfers to and from Hong Kong. Padraig Walsh, Partner in the Data Privacy practice group at Tanner De Witt, discusses the main issues that should be considered when preparing to transfer personal data outside of Hong Kong.

PDPO applies to anyone who controls the collection, holding, processing or use of personal data in, or from Hong Kong. The concept of control is broadly defined and includes the obligation to fulfil six statutory obligations (the ‘Data protection principles’ or DPPs). In addition, the PDPO requires that a data user must expressly inform the data subject on or before collecting their personal data of the purposes for which their personal data may be used and the classes of persons to whom their personal data may be transferred. In the context of data transfers, this means that a PICS must be provided to each individual from whom personal data is being collected.

Aside from the statutory requirements under the PDPO, the PCPD has published two sets of recommended model clauses to facilitate personal data transfers between entities and between data users and their data processors. These models are intended to ensure that the transferees of personal data comply with the DPPs when processing the transferred data. The recommended model clauses include provisions requiring that the transferee must not use or allow any sub-processor to use the transferred personal data in places other than those specified in the contract; and that the transferee must not retain the transferred personal data for longer than is necessary to meet the purpose(s) for which it was collected.

The DPPs require that a data user must adopt contractual or other measures to prevent personal data transferred to a data processor in or from Hong Kong from being kept longer than is necessary for the purpose for which it was collected. The requirement to do so is designed to reduce the risk of data breaches and potential liability for the data transferee.

There are some limited exemptions from these use limitations and access requirements under the PDPO. These include: the safeguarding of national security, defence and international relations, crime prevention or detection, assessment or collection of taxes or duties, a legal proceeding or life-threatening emergency situations. These exceptions provide useful flexibility in the application of the PDPO to data transfers and are helpful in reducing compliance risks. The PCPD is working on a further set of guidance on the implementation of these provisions in practice. This should be available in early 2018.