Regulation of Cross-Border Data Transfer Under the PDPO
At the height of Hong Kong’s modern data privacy laws in 1995, cross-border data transfer regulation was considered essential. This was reflected in PDPO section 33 which restricts any transfer outside Hong Kong unless certain conditions were fulfilled; despite increased cross-border business activity this did not become a significant driver of robuster protection measures and its implementation was dropped from subsequent legislative reform agendas.
As the need for comprehensive data protection measures increases, it may come as a surprise that implementation has yet to resume. A variety of factors could explain this trend, such as perceived adverse impacts on business operations or difficulties achieving compliance; as well as significant resistance from within the business community and widespread uncertainty regarding their implementation.
But it is essential to remember that even if a business does not export data, they could still fall under the purview of the PDPO if they control collection, holding or processing of personal data. The definition of “data user” under this Act includes references to disclosure and transfer as well as requirements that explicitly inform data subjects of which classes of people their data could be transferred (DPP 1(3)).
Businesses operating in Hong Kong increasingly find it necessary to conduct a transfer impact assessment under the Personal Data Protection Ordinance, not due to any intention to transfer personal data abroad but simply in order to comply with various core data protection obligations. This is particularly the case where there is data protection legislation applicable in mainland China (considered a separate legal jurisdiction under one country two systems principle), or where high volumes of personal data is transferred between Hong Kong and mainland China.
If a data transfer impact assessment is required, data exporters will have to take measures in accordance with their legislation and practices that meet or surpass those mandated by PDPO. Technical measures, such as encryption or anonymisation, as well as contractual provisions pertaining to audit and inspection, beach notification, compliance support and cooperation could all play a part in keeping data secure. While Hong Kong may appear out of line with global trends regarding cross-border data flow, increased international pressure may force change as more efficient methods of exchanging personal information between mainland China and Hong Kong become necessary. This may involve altering the definition of personal data to include any identifiable person and not simply specific individuals. Such changes would necessitate greater protection for individuals as well as increasing compliance burden for businesses attempting to comply with data protection laws.