Data Transfers Under Hong Kong Law
At the core of understanding data transfers under Hong Kong law is understanding its interpretation of core data privacy principles. While similar principles exist elsewhere, Hong Kong sometimes takes a unique interpretation when applying them. Tanner De Witt’s Padraig Walsh offers an overview of issues and considerations to be kept in mind when transferring personal data either to or from Hong Kong.
Data users must obtain the explicit, voluntary consent of each data subject prior to disclosing or using personal information for any purpose not specified in their PICS, except where necessary for performance of contract with data subject or as permitted under PDPO (new section 66K(1)). Furthermore, contractual or other measures must be put in place so as to safeguard personal data transferred outside their country from unauthorised access, processing, erasure, loss or use.
The second step for data exporters is to evaluate whether foreign jurisdiction’s laws and practices are comparable with Hong Kong standards, in order to identify and take necessary supplementary steps that bring their level of protection up to Hong Kong standards. Such steps might include technical solutions like encryption, anonymisation or pseudonymisation as well as contractual provisions that include audit/inspection reporting obligations as well as beach notification obligations as well as compliance support and cooperation obligations.
Once a foreign country meets certain minimum data protection standards, they can apply for recognition under the PDPO as a data safe haven. This allows its citizens to transfer data without restriction under the PDPO and allows businesses a single point of contact for cross-border data transfers, helping to reduce costs.
If a foreign country fails to meet required standards, the PDPO permits the Commissioner to serve a cessation notice on the data exporter and require that steps are taken within 30 days to remedy the situation. Furthermore, enforcement measures (fines) can also be imposed against data exporters who breach it; and compensation from data exporters who do not abide with its provisions may also be sought from them (new section 66K(3)).