Data Transfers: The curious case of cross-border data transfers in Hong Kong18Nov2022
The Personal Data (Privacy) Ordinance (the “PDPO”) was passed in 1995 and took effect from December 1996. One of its key provisions was a restriction on cross-border data transfers in section 33. More than 25 years later, section 33 is still not yet in operation. In this article, Pádraig Walsh from our Data Privacy practice tells this curious and interesting story.
The history of data privacy in Hong Kong
The PDPO is one of Asia’s longest standing comprehensive data protection laws. The local roots of the legislation are a Law Reform Commission Report published in 1994. The section on transborder data flow is still an interesting read today. The key conclusion was that regulation of transborder data flow is an important feature of comprehensive data protection legislation. The touchstone for the PDPO was the OECD Privacy Guidelines 1980. However, the main source that guided the Law Reform Commission was Directive 95/46/EC (“Directive”) from the EU (then in draft form) on the protection of personal data. Regulation of international data transfer was regulated in Chapter IV of the Directive.
Hong Kong was at the crest of the wave of modern data privacy laws in 1995 and regulation of cross-border data transfers was a key component of that.
What does section 33 provide?
Section 33 is intended to prohibit the transfer of personal data outside Hong Kong, unless certain conditions are fulfilled. This prohibition is intended to apply to the transfer of personal data from Hong Kong to a place outside Hong Kong, or to the transfer of personal data between two other jurisdictions where the transfer is controlled by a data user in Hong Kong. The basic objective is to ensure that personal data is given a similar level of protection outside Hong Kong, as is provided under the PDPO.
The framework contemplated by section 33 is that the transfer of personal data outside Hong Kong is permitted under certain conditions. The more relevant conditions include:
- The personal data transfer will be to a place that the Privacy Commissioner for Personal Data (“PCPD”) has notified has privacy laws substantially similar to, or serving the same purposes as, the PDPO. This is a white list exception that is similar to the adequacy regime under GDPR.
- The data user has reasonable grounds to believe that the personal data transfer will be to a place that has privacy laws substantially similar to, or serving the same purposes as, the PDPO.
- The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be held, processed or used in any manner which would breach the PDPO.
- The data subject has consented in writing to the transfer.
- The data user has reasonable grounds to believe the data transfer is needed to avoid or mitigate adverse action against the data subject, and it is not practicable to obtain the written consent of the data subject.
- The personal data in question is exempt from data protection principle (“DPP”) 3, which deals with use limitations on personal data.
This basic framework will be familiar to many in the international data protection community. This provision was not as far as the Law Reform Commission had recommended but it was to international standard in 1995.
The progress of the PCPD
The PCPD worked on providing guidance and responding to business concerns.
The intention of the PCPD was to bring section 33 into force as promptly as possible. In 1997, the PCPD stated that one reason for delaying the operation of section 33 was to prepare and issue the guidance on appropriate contractual terms, and accomplishing that task would facilitate the provision being brought into force.
In September 2012, the PCPD published its guidance on outsourcing to data processors.
In December 2013, a consultant commissioned by the PCPD completed a study report, which provided a methodology and criteria for deciding whether different jurisdictions have in force law which is substantially similar to, or serves the same purposes as, the PDPO. The consultant studied the relevant regulations of 50 jurisdictions, and considered that 35 of the jurisdictions could be included in the “white list”. Among them, only two were in Asia, one was in North America, one was in Oceania and the other 31 were in Europe.
On 29 December 2014, the PCPD published its guidance on cross-border data transfer, with recommended model clauses to include in contracts dealing with data transfer. This was a guide for voluntary compliance. The Hong Kong government commissioned a consultant to conduct a business impact assessment study, and the PCPD contributed its comment to that study.
In May 2017, the Constitutional and Mainland Affairs Bureau of the Hong Kong Government reported to the Legislative Council on all measures in respect of section 33 taken to that point.
In November 2018, the PCPD engaged a consultant to consider and propose resolutions to issues identified in the business impact assessment study. The consultant recommended that the PCPD should, amongst others, revise the recommended model clauses in the guidance on cross-border data transfer to enhance practicability and user-friendliness of the guidance and facilitate data users to directly adopt the relevant clauses in data transfer agreements according to their business needs. The brief of the consultant extended to updating the guidance itself.
In January 2020, the Constitutional and Mainland Affairs Bureau of the Hong Kong Government reported to the Legislative Council on proposals to reform and update the PDPO, including six major proposals. No mention was made of the implementation of section 33.
On 12 May 2022, the PCPD published its update guidance on recommended model contractual clauses, presumably adopting the consultant’s recommendations. The guidance acknowledges that section 33 is not in force, but recommends the adoption of the model contractual clauses on a voluntary basis, especially for small-medium sized enterprises.
Resistance to implementation
Implementation has run into headwinds. The proposal to implement section 33 raised concern from the business community in Hong Kong, particularly from small-medium sized enterprises. Business resistance to change is not unusual and lobbying from the business community is widespread in all parts of the world. However, this is more acute in Hong Kong, which is a jurisdiction made up of one city. The concerns of the business community in Hong Kong are always given substantial weight.
The main concerns revolved around the perceived adverse impact on business operations, difficulties in achieving compliance, and the cost of compliance. The fundamental business view, ultimately, was that in the extensive cross-border business activities of Hong Kong, there was no indication that cross-border data transfers had undermined personal data privacy. So, if it ain’t broke, don’t fix it.
A shift in emphasis?
Looking at the chain of communications from the PCPD, and indeed the Hong Kong government, there has been a movement from implementation of section 33 as a clear policy objective, to a certain indifference to whether it is implemented at all.
In 1997, in response to the question of when section 33 would be brought into force, the PCPD responded:
- “There is no specific date yet, but the issue of the model contract will facilitate the provision being brought promptly into force” (emphasis added).
In 2014, upon publication of the guidance on cross-border data transfer, the PCPD stated:
- “The situation of global data flows is markedly different today than in the 1990s when the Ordinance was enacted … Against this background, the issue of regulating cross-border data flows is becoming more acute than ever before. Countries worldwide are adopting a range of mechanisms to protect the personal data privacy of individuals in the context of cross-border data flows. It is high time for the Administration to have a renewed focus on the implementation of section 33 to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.” (emphasis added)
The resistance to implementation from the business community came to the fore in 2017-18, and it took its toll.
In a statement in response to a media enquiry on data localisation in April 2020, the PCPD moderated its position on implementation of section 33:
- “(T)he PCPD acknowledges that cross-jurisdiction data flow is the life-blood of our data driven economy.”
- “The PCPD has also reviewed the latest global regulatory framework on cross-border/boundary data flow and communicated with the Government on the ways forward which best suit the local circumstances in Hong Kong …” (emphasis added).
- “Over the years, the PCPD has not received any complaints from individuals or enterprises about the cross-border / boundary data transfer provisions not coming into operation”
In 2014, increased cross-border data flow was a reason for the Government to have a renewed focus on implementing section 33.
In 2020, increased cross-border data flow was seen as the life-blood of Hong Kong’s economy and facilitating that free flow of information was described as an irreplaceable attribute of Hong Kong’s success. Section 33 implementation was then omitted from the agenda of legislative reform of the PDPO.
Protections in Hong Kong for international data transfers
There are protections under Hong Kong law that also apply in the context of cross-border data transfers. These include:
- Disclosure and transfer are expressly included in the definition of “use”.
- A requirement to give notice to explicitly inform data subjects of the classes of persons to whom the data may be transferred (DPP 1(3)).
- A requirement to obtain the prescribed consent of data subjects for change of use of the personal data collected (DPP 3).
- A requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from being kept longer than is necessary for processing of the data (DPP 2(3)).
- A requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from unauthorised or accidental access, processing, erasure, loss or use of the data being transferred for processing (DPP 4(2)).
- Statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors outside Hong Kong (section 65, PDPO).
The future may bring change in respect of section 33. The instrument of change may be the rapid transformation of data privacy laws in mainland China. Mainland China is a separate legal jurisdiction to Hong Kong under the “one country, two systems” principle. The volume of data transfer between Hong Kong and mainland China will increase significantly with deeper integration of business and social life. This will increase the need for an efficient and reliable legal basis for data transfer.
The most efficient and reliable legal basis for data transfers between Hong Kong and mainland China would be an adequacy determination that the protection of personal data in both jurisdictions have a broadly equivalent standard. However, unless section 33 is implemented, Hong Kong does not have a statutory basis on which it could make an adequacy determination. There are alternatives. For instance, the use of recommended model clauses may help, but their adoption will not be uniform nor systematic. There are other governmental means by which this objective could be accomplished, particularly as Hong Kong and mainland China are one country. An adequacy regime will have broader application, and provide more certainty. Ultimately, bringing section 33 into operation in Hong Kong would also be consistent with its status as an international standard bearer, and would also facilitate similar adequacy determinations for other suitable jurisdictions.
It is true to say that there is no statutory restriction in the PDPO on the transfer of personal data outside Hong Kong. It also looks increasingly possible that section 33 may never come into operation in Hong Kong.
This position in Hong Kong may seem out of synch with international trends. The reasons are very specific to Hong Kong, which is why it is a curious and interesting story. Perhaps it is refreshing for a jurisdiction to take the view that an adequacy or equivalent regime is not the right way to go. It certainly offers Hong Kong the prospect of a competitive advantage for the time being. In the long term, the need for efficient and reliable means of transferring personal data with mainland China and internationally may drive change.
Finally, it is not true to say there are no protections under Hong Kong law in respect of cross-border data transfer. Businesses need to be mindful of the obligations that exist, as well as best practice and ethical standards in their governance of personal data. We at Tanner De Witt can help you.
If you would like to discuss any of the matters raised in this article, please contact:
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.
 Subsequently, updated and expanded substantially in Regulation (EU) 2016/679 (General Data Protection Regulation)
 A data user under Hong Kong law is similar to a data controller under GDPR