What you need to know about data transfers involving Hong Kong

What you need to know about data transfers involving Hong Kong

Data transfers are essential and common between corporate transactions. It is vital for businesses to understand data privacy regulation imposed on personal data transfers to reduce business risk and promote efficient compliance data transfers across organisations. In this overview, Pádraig Walsh from the Data Privacy practice group of Tanner De Witt guides you through the points to note for personal data transfers, whether it is being transferred from Hong Kong to elsewhere, or from other locations into Hong Kong.

The ground rules in Hong Kong

The starting point for understanding data transfers under Hong Kong law is to understand the interpretation of key data privacy concepts in Hong Kong. This may seem obvious first principles, but sometimes those principles are same but different in Hong Kong.

What is personal data?

If data does not constitute personal data, then the statutory obligations of the Personal Data (Privacy) Ordinance (“PDPO”) will not be triggered. Personal data is defined under the PDPO to mean any data relating directly or indirectly to a living individual, from which it is practicable for the individual to be directly or indirectly identified. Personal data must also be in a form in which access to, or processing of, the data is practicable.

The Hong Kong definition of personal data has not been updated since the PDPO was first enacted in 1996. It was in line with international norms on the meaning of personal data at that time. This term has been updated in other legislative regimes since – such as the Personal Information Protection Law that applies in mainland China (“PIPL”) and the General Data Protection Regulation that applies in the European Economic Area (“GDPR”). Under those laws, personal data means information relating to an identified or identifiable person. In the GDPR, an identifiable natural person is given additional meaning by listing various identifiers such as: name; identification number; location data; online identifier; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person. There has been no update as yet in Hong Kong, though change has been advocated by the Privacy Commissioner for Personal Data (“PCPD”).

This might seem a technical point, but it has some surprising outcomes. Let’s take online identifiers for example. A person is identified when the person is distinguished from other persons in the data set and specifically identified. A person is identifiable (in the GDPR sense) when data from different data sets is capable of identifying the person. So, in Hong Kong an IP address alone is not personal data. It does not have biological significance relating to an individual, nor does it have an individual as its focus. An IP address is a specific machine address assigned by an internet service provider to a user’s computer. It is information about an inanimate computer, not a living individual. It cannot alone reveal the exact location of a computer or the identity of its user. In the EU, even a dynamic IP address is personal data as the definition of personal data also relates to an identifiable person (as is the case under GDPR and the predecessor Directive 95/46).

For the present, personal data in Hong Kong may be a smaller pool than is the case in other jurisdictions. If data is not personal data, then obligations under the PDPO in respect of personal data transfers do not apply. Nonetheless, we recommend that a data user should take a cautious approach when compiling its personal data inventory and should still include online identifiers and location trackers.

What is a data user?

A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the data. Control is a key word here. Also, a person is not a data user if he does not hold, process or use personal data for any of his own purposes.

A data user is the broadly equivalent term in the PDPO to “data controller” under GDPR and in other jurisdictions. However, the definition of data controller under GDPR expressly requires that the data controller determines the purposes and means of processing, which again is a technical difference.

If a person is a data user, then this triggers the obligation of the data user to fulfil a range of statutory obligations under the PDPO. A key obligation is that the data user must not contravene a data protection principle (“DPP”) under the PDPO, unless an exemption applies. There are six DPPs set out in the PDPO and these form the core data privacy obligations in Hong Kong.

What is personal data collection?

The collection of personal data might seem to suggest that it relates only to the process of gathering or acquiring personal data. Hong Kong law requires an additional step. The act of collection must also be performed in respect of an individual whom the person acquiring the personal data has identified or intends to identify. The intention of the person acquiring the personal data is also a relevant factor. This is the key principle in the Eastweek case.

The applications of this principle are interesting. A photographer may take a photograph of a crowd attending a musical concert. This is not the collection of personal data under Hong Kong law, provided the photographer has not taken the photograph to identify an individual (but rather to show a general crowd enjoying an event). This is the case even though specific individuals can be identified in the photograph. Similar applications of this principle can apply in respect of CCTV recordings, logs of persons entering car parks and records of meetings that do not specifically identify individual speakers or participants.

One of the obligations of a data user in Hong Kong is to provide certain information to a data subject on or before the collection of his personal data (described in more detail below). If personal data is not collected, then no obligation to provide this information arises.

What is the jurisdictional scope of the PDPO?

Several data privacy regimes now include some element of extra-territorial application. Not in Hong Kong. The territorial jurisdiction of the PDPO only extends to a data user who has operations controlled in, or from, Hong Kong. The correct test is to consider whether the data user controls all or any part of the data cycle (that is, the collection, holding, processing, and use) in, or from, Hong Kong.

This arose in a case in which a data subject requested Google LLC to delist links in search results accessible in Hong Kong to news articles referencing the data subject which he considered false. Google LLC declined the request. The data subject complained to the PCPD. The PCPD considered that there was no evidence of contravention of the PDPO because the local subsidiary of Google LLC did not exercise any control over the collection, holding, processing or use of personal data in or from Hong Kong regarding the web search services. Google search services were processed from data centres in Singapore and Taiwan. Neither Google LLC nor its Hong Kong subsidiary was a data user for the purposes of the PDPO. This was the case even though the search results were displayed in or available from the website of Google HK.

If a person does not have any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong, then the PDPO will not apply to this person.

What is use?

A data user is defined by reference to his control of the collection, holding, processing or use of personal data. Use is intended as a catch-all phrase in this definition. Some helpful clarification is given in the PDPO which states that use includes disclosure or transfer of personal data. This is critically important in the case of data transfers.

In Hong Kong, a data user must expressly inform a data subject on or before collecting his personal data of the purposes for which the data will be used and the classes of persons to whom the data may be transferred. Transfer is a form of use. So, the PCPD has made clear that personal data may only be transferred to a third party in a class of transferees that has been notified to the data subject on or before the original collection of his personal data, and the transfer can only be for the stated purposes that the original data user has notified to the data subject. Otherwise, the disclosure is a change of purpose for which the original data user must obtain the fresh express voluntary consent of the data subject.

How are data user obligations of collection and use fulfilled in Hong Kong?

Data user obligations are primarily defined by DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data).

Personal data must be collected in a lawful and fair way for a purpose directly related to the activities of the data user. The data collected must be adequate, but not excessive, for that purpose. Before collecting personal data, all practicable steps must be taken to ensure that the data subject is informed of:

  1. whether the supply of the data is voluntary or obligatory;
     
  2. the purposes for which the data are to be used; and
     
  3. the classes of persons to whom the data may be transferred.
     

Before first use of personal data, the data subject must also be informed of:

  1. his right to request access to, and to correct, the data; and
     
  2. the name or job title, and address, of the individual who is to handle any such request.
     

These obligations are usually fulfilled by the data user providing the data subject with a personal information collection statement (“PICS”) before collecting the data. The PDPO does not require notification of these particulars in writing. However, it is obviously good practice for the information to be provided in writing to data subjects.

The purposes set out in the PICS will define the purposes for which personal data may subsequently be transferred. The description of those purposes must be sufficiently precise that the data subject can understand the purposes with a reasonable degree of certainty.

The theoretical underpinning of this arrangement is that, by informing the data subject on or before the collection of his personal data, the delivery of his personal data forms an implied consent to the use of his personal data in accordance with the PICS. This is not always the case in all situations, which is why DPP1 requires that the personal data must be collected in a fair manner.

Once personal data has been collected, the personal data cannot be used for a new purpose unless the voluntary and express consent of the data subject has first been obtained. As explained above, data transfer is a form of data use. So, the data user must obtain the voluntary and express consent of the data subject before he can either transfer the personal data to a class of person that was not set out in the PICS, or transfer the personal data for use in respect of a purpose that was not set out in the PICS.

Conclusion

What are the ground rules for a data transfer in or from Hong Kong?

First, consider whether the data transfer is under the jurisdiction of the PDPO. If a person does not have any operations controlling collection, holding, processing or use of personal data in, or from, Hong Kong, then the PDPO does not apply.

Next, consider whether personal data is actually involved. Personal data is defined in Hong Kong to relate to identified persons, not identifiable persons. Consequently, personal data in Hong Kong may be a smaller pool than is the case in other jurisdictions. If data is not personal data, then obligations under the PDPO in respect of data transfer do not apply.

Then, consider whether personal data is being collected. The intention of the person acquiring the personal data is a relevant factor in this consideration. If personal data is not collected, then no obligation to provide a PICS arises, and issues in respect of data transfer may not arise.

Remember that if a person is a data user, then then this triggers his obligation to fulfil a range of statutory obligations under the PDPO, including complying with the six DPPs that form core data obligations under privacy law in Hong Kong. Remember also that data transfer is a form of data use.

Finally, consider the terms of the PICS provided to the data subject. This forms the parameters of what is possible in respect of a data transfer, without additionally requiring the prior express voluntary consent of the data subject.

These are important and technical questions. This preliminary assessment may require legal advice to help resolve or clarify areas of uncertainty.

Frameworks for organising cross-border data transfer

There are serious legal consequences to a mishandled cross-border personal data transfer. The following explores the steps a business should take when conducting an international transfer process.

Policy and process

Good practice does not happen by itself. Rather, it arises from good policy, process and proper implementation that are reviewed and improved on a continuous basis. The same principles apply to data transfers. The data user should have a policy and procedure that outlines the key considerations, steps and precautions for data transfers to data processors.

The policy should contain a clear statement that a data transfer to a third party must have a lawful basis, and must be conducted in full awareness and compliance with the legal and regulatory obligations that apply. The policy should enshrine the principle that the data user must take all reasonable steps to protect personal data from unauthorised use and disclosure.

Key considerations will include:

  • What personal data is actually necessary for the identified purpose?
     
  • Is it necessary for the effective and efficient conduct of the business that the personal data is transferred?
     
  • What is the nature of the personal data?
     
  • What is the amount of the personal data being transferred?
     
  • What damage or distress might be caused to individuals from issues arising from the data transfer?
     
  • What damage or loss might be caused to the data user from issues arising from the data transfer?

In complex instances, the best method for constructively and systematically taking these considerations into account may be to conduct a transfer impact assessment in respect of the proposal to transfer the personal data for the purposes intended.

The procedures underpinning the policy should:

  • contain concise, clear guidance to assess the impact, relevance and necessity for the data transfer;
     
  • have a chain of control for the conduct of the transfer, with appropriate signing and approval processes at each stage;
     
  • contain standards for authentication of the receiving party;
     
  • mandate the use of data minimisation principles;
     
  • apply high standards of security for all aspects of the data transfer process. In particular, the procedures should outline the recommended best means of securely transferring personal data and discourage and prohibit unsecure means (such as unencrypted email or removable storage devices);
     
  • contain guidance on identifying when a formal risk assessment for the data transfer is needed;
     
  • outline the accountability of key persons in the data transfer process;
     
  • provide for contractual protections to be initiated and implemented before data transfer occurs;
     
  • outline the responsibilities of the privacy officer (if any) in respect of data transfers;
     
  • refer to procedures on incident reporting if an issue arises in the course of the data transfer;
     
  • have a review process in which the policy and procedures are reviewed at least annually;
     
  • have a commitment to training and awareness to support adoption of the policy;
     
  • contain a list of useful resources, including applicable laws and regulations and other policies.

Framework for assessing cross-border data transfers

One of the most widely adopted frameworks for conducting a cross-border, data transfer process is the six step framework published by the European Data Protection Board (EDPB). This six step framework does not directly apply in Hong Kong. Some of these principles are constructive and relevant in respect of all international data transfers.

Let’s apply and examine key principles in the context of a Hong Kong data user that is a data exporter transferring data from Hong Kong to a data importer in a foreign jurisdiction. Some relevant steps and principles are:

  1. A data exporter should know its transfers. This starts with a data inventory that is a reliable record of the personal data held by the data exporter. Then, the data exporter should map all data transfers of personal data to third countries so that it is aware of where the personal data goes. This is a basic foundational requirement to assess whether the transferred personal data will be afforded an equivalent level of protection wherever it is processed. This step also helps to verify that the personal data to be transferred is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

     
  2. The data exporter should verify the lawful basis for the proposed personal data transfer. The Hong Kong data exporter should review its Personal Information Collection Statement (PICS) to determine whether it has properly disclosed that personal data may be transferred as specifically contemplated, and whether the transfer may constitute a new purpose for which the prescribed consent of the data subject is needed. This step is markedly less onerous in Hong Kong than under GDPR.

     
  3. The data exporter should assess the laws and practices of the third country. The basic requirement for a Hong Kong data exporter is to take all reasonable precautions and exercise all due diligence to ensure that the personal data will not, in the jurisdiction of the data importer, be collected, held, processed, or used in any manner which, if that took place in Hong Kong, would be a contravention of a requirement under the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). This does not require a measure-by-measure comparison by organisations of foreign laws with Hong Kong laws. However, the data exporter should take into consideration all material elements surrounding the transaction. The result may well be that some transfers are unwise because of the uncertain nature of the foreign regime, or that in some cases information is so sensitive that it should not be sent to any foreign jurisdiction.

     
  4. The data exporter should identify and adopt supplementary measures that are necessary to bring the level of protection of the personal data transferred up to Hong Kong standards. This step is only necessary if the data exporter’s assessment reveals that the foreign jurisdiction’s legislation or practices do not meet the standards required under the PDPO.
     

Supplementary measures could be:

Technical measures: These might include techniques such as encryption, anonymisation or pseudonymisation, or split or multi-party processing.

Contractual measures: These might include additional contractual provisions that impose obligations on audit, inspection and reporting, beach notification, and compliance support and co-operation.

Organisational measures: These might impose obligations on the data importer in respect of its policies, methods and procedures. The policies of the data importer must be sufficiently robust and include training for staff and effective security measures. A critical policy will be the data retention policy to ensure that the data processor has committed to keeping the transferred personal data only for so long as necessary, and then will return and destroy the personal data.

The data exporter is ultimately responsible for assessing the effectiveness of the proposed supplementary measures.

The data exporter should re-evaluate, at appropriate intervals, the level of protection afforded to the personal data it has transferred to third countries and to monitor if there are any developments in the third country that may affect its initial assessment.

Other principles

The Privacy Commissioner for Personal Data (“PCPD”) has also stressed other principles that data exporters should take into account when conducting a cross-border data transfer. These include:

  1. A data exporter should always begin with due diligence on the intended data importer. The data exporter must satisfy itself that the data importer has the capability, competence, credentials, reputation and resources to meet the obligations imposed on it.

     
  2. A data exporter should adhere to principles of data transparency as part of its general commitment to good data ethics. As a matter of good practice, data exporters should consider notifying data subjects of the fact that their personal data may be transferred outside Hong Kong and the underlying grounds.

     
  3. The data exporter should consider taking legal advice in respect of its contractual arrangements with data importers to confirm that the provisions will be enforceable in the location of the data importer.

     
  4. The data exporter should keep proper records of all personal data that has been transferred, and also all efforts it has taken to fulfil requirements for cross-border data transfers.
     

Conclusion

There are a multitude of considerations in data transfers. In these circumstances, planning and process will support prevention and can help to avoid the pain and penalty that will follow if issues arise from cross-border data transfers. Hong Kong does not have an adequacy regime or statutory restrictions on cross-border data transfers. However, it is not true to say there are no protections under Hong Kong law in respect of cross-border data transfers. Data users must have a lawful basis under Hong Kong law for data transfers. Businesses need to be mindful of the obligations that exist, as well as best practice and ethical standards in their governance of personal data.

Protecting personal data by contractual means

The personal data protection regime in Hong Kong does not contain a statutory restriction on the transfer of personal data outside Hong Kong. However, this does not mean that there are no protections in respect of cross-border personal data transfers. The use of contracts to protect personal data in cross-border data transfer from Hong Kong will be explained.

What are data users?

A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the personal data. Control is a key word here. Also, a person is not a data user if he does not hold, process or use personal data for any of his own purposes.

If a person is a data user, then this triggers the obligations of the data user to fulfil a range of statutory obligations under the PDPO. These obligations include a primary role in protecting personal data in cross-border personal data transfers conducted by the data user, whether to another data user or to a data processor.

What are data processors?

Technically, a data processor is a person who processes personal data on behalf of another person (a data user [[1]] below), instead of for his own purposes. A data processing arrangement is typically for specific purposes and in relation to specific services offered by the data processor to the data user. In Hong Kong, processing includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.

It always helps to make concepts concrete. Here are some common examples of data processors:

  • outsourced payroll service providers;
     
  • cloud service providers;
     
  • HR consultants;
     
  • marketing agencies;
     
  • CRM service providers;
     
  • outsourced call centres; and
     
  • third party document shredder / destruction providers.
     

The role of the data processor is important in society but arrangements with data processors can be difficult to navigate and regulate.

Regulation of data processors in Hong Kong

The Privacy Commissioner for Personal Data in Hong Kong (“PCPD”) does not directly regulate data processors. Instead, data users are required to ensure that their data processors meet certain requirements under Hong Kong data protection laws. Data users are required to adopt contractual or other means to:

  • prevent the data processor from keeping personal data for longer than is necessary (Data Protection Principle (“DPP”) 2); and

     
  • prevent unauthorised or accidental access, processing, erasure, loss or use of personal data (DPP 4).
     

There is also statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors whether inside or outside Hong Kong (section 65, PDPO).

Regulation of data transfers

Disclosure and transfer are expressly included in the definition of “use” in the PDPO. This is important, as it links to requirements of data users that collect personal data. A data user must give notice to explicitly inform data subjects of the purpose (in general or specific terms) for which the personal data is to be used and the classes of persons to whom the data may be transferred (DPP 1(3)). This means that a data user should inform data subject on or before collecting personal data that it intends to transfer the personal data to other data users or to use data processors to perform some of the purposes for which the personal data was collected. The data user must obtain the prescribed consent of data subjects before using personal data collected for a new purpose (DPP 3).

Contractual means

The most common means for a data user to protect personal data transferred in a cross-border data transfer is by written contract. This can be either a contract that covers data privacy and protection as part of the terms for the entire commercial arrangement or a contract that deals specifically with data privacy and protection. This is a good practice for a number of reasons. It demonstrates proper due diligence and compliance with the statutory obligations of the data user. It enables the data user to bring a claim against the data transferee (whether data user or data processor) for breach of contract relating to data privacy and protection obligations.

Recommended model contractual clauses

The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has published two sets of recommended model contractual clauses. These cater for two scenarios, being the transfer of personal data from one data user to another data user and the transfer of personal data from a data user to its data processor. The recommended model clauses address the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. The focus is upon cross-border data transfers of personal data that must take into account the requirements of the PDPO and its DPPs. Specifically, the purpose is to ensure adequate protection is given to the personal data as provided under the PDPO as if the personal data concerned were not transferred outside Hong Kong.

The complete verbatim adoption of the recommended model clauses is not mandatory. The PCPD has recognised that data exporters are free to use alternative wording which in substance is consistent with the requirements of the PDPO. This is different to the approach adopted under GDPR in respect of standard contractual clauses for international data transfers. In fact, the PCPD has expressly stated that its recommended model clauses are not intended to satisfy the requirements of GDPR or to be considered as alternatives to the standard contractual clauses of the European Commission in respect of the GDPR.

Recommended model clauses – Data user to date user transfers

In a personal data transfer from one data user to another data user, the transferor and the transferee will both use the personal data for their separate business purposes. This may arise, for instance, in a data sharing collaboration for their respective business activities. The recommended model clauses do not particularly account for whether the data users in question are independent data users (that is, operating independently in respect of the personal data), or joint data users (that is, making joint decisions in respect of the personal data).

In summary, the recommended model clauses provide:

  1. The transferring data user gives a warranty that the personal data is transferred in accordance with the PDPO, provided that the receiving data user complies with its undertakings in respect of the transferred personal data.
     
  2. The receiving data user then gives a series of warranties and undertakings, including to:
     
    1. only use the transferred personal data for prescribed purposes of transfer agreed with the transferor and for which the personal data was collected by the transferor;
       
    2. ensure that the transferred personal data is adequate but not excessive for those prescribed purposes;
       
    3. follow prescribed security measures in respect of the transferred personal data;
       
    4. not retain the transferred personal data for longer than is necessary for the fulfilment of the prescribed purposes of transfer;
       
    5. erase the transferred personal data once it is no longer necessary for the fulfilment of the prescribed purposes of transfer;
       
    6. ensure the transferred personal data is accurate and that any inaccurate personal data is rectified or erased;
       
    7. ensure that data subjects can access its policies and practices in relation to the transferred personal data;
       
    8. not conduct any onward transfer of the transferred personal data unless it is expressly agreed with the transferring data user;
       
    9. ensure that each onward transfer recipient enters into an appropriate data sharing agreement or data processing agreement with similar data protection obligations; and
       
    10. not use or hold the transferred personal data or permit any onward transfer recipient to use or hold the transferred personal data in a place outside Hong Kong other than places that have been expressly agreed with the transferring data user.
       

     

  3. The data users respectively undertake to comply with their respective obligations in respect of data access and correction requests made by data subjects.
     
  4. If the prescribed purposes of transfer include direct marketing, then the receiving data user undertakes to cease using transferred personal data for direct marketing upon written notice from the transferring data user.
     
  5. There is also a data transfer schedule which allows the data users to set out particulars of:
     
    1. the transferred personal data;
       
    2. data transfer purposes;
       
    3. permitted jurisdictions;
       
    4. retention periods;
       
    5. permitted onward transfer recipients and related terms;
       
    6. security measures; and
       
    7. data subject access and correction requests.
       

     

Commentary

These recommended model clauses are coherent and well-prepared. Nonetheless, they are not mandatory and the PCPD has acknowledged that account may be taken for commercial considerations (provided the substantive effect of the recommended model clauses is preserved). It is likely that legitimate commercial concerns will require that the recommended model clauses may need to be amended.

The approach to data subject rights required by these recommended model clauses would require collaboration with and support from the transferring data user to ensure the receiving data user can fulfil obligations that require direct communication with data subjects.

On a practical commercial negotiation level, it can be difficult to retain express references to the PDPO in circumstances where the governing law of the overall commercial arrangements is not Hong Kong law. This issue would be more problematic in respect of agreements for onward data transfer. Normally, the drafting compromise is to reflect the substance of the obligations without direct reference to the governing statute.

It is also ironic that the recommended model clauses restrict transfer of personal data to permitted jurisdictions. On the one hand, this approach does reflect recommended best practice and supports the focus on ensuring adequate levels of protection for the transferred personal data. On the other hand, this arises under a legislative regime that does not expressly or directly restrict the cross-border transfer of personal data.

Recommended model clauses – Data user to data processor transfers

In a personal data transfer from a data user to its data processor, the data processor must use the transferred personal data only for processing purposes on behalf of the data user, instead of for its own purposes.

In summary, the recommended model clauses provide that the data processor undertakes to:

  1. only process the transferred personal data for prescribed purposes of transfer designated by the transferring data user;
     
  2. ensure that the transferred personal data is adequate but not excessive for those prescribed purposes;
     
  3. follow prescribed security measures in respect of the transferred personal data;
     
  4. not retain the transferred personal data for longer than is necessary for the processing required by the data user;
     
  5. erase the transferred personal data, once it is no longer necessary for the processing required by the data user, or if instructed to erase by the data user;
     
  6. ensure the transferred personal data is accurate and that any inaccurate personal data is rectified or erased;
     
  7. not transfer the transferred personal data to a sub-processor unless it is expressly agreed with the transferring data user;
     
  8. ensure that each sub-processor enters into a data processing agreement with similar data protection obligations; and
     
  9. not use or hold the transferred personal data, or permit any sub-processor to use or hold the transferred personal data, in a place outside Hong Kong other than places that have been expressly agreed with the transferring data user.
     

There is also a data transfer schedule which allows the data user and data processor to set out particulars of:

  1. the transferred personal data;
     
  2. data transfer purposes;
     
  3. permitted jurisdictions;
     
  4. retention periods;
     
  5. permitted sub-processors and related terms; and
     
  6. security measures.
     

Many of our comments in respect of the data user to data user recommended model clauses apply to these provisions. In particular, it is unusual – and perhaps misconceived – that the data processor is required to undertake that the transferred personal data is adequate but not excessive for the agreed processing purposes. This is a process that is ultimately controlled by the data user and is typically an obligation that the data user must perform.

The receiving data processor is frequently not in direct contact or communication with the data subject as it was not the party that collected the personal data. Consequently, the receiving data processor may not be in a position to review the continuing accuracy of the transferred personal data.

We could envisage that the data processor may provide information and guidance to the data user on the needs of the data processor for the data processing activities. However, this should not change the primary obligation of the data user.

Additional contractual measures

The PCPD has recognised that the recommended model clauses are not a complete solution for all cross-border data privacy and protection issues. Other contractual provisions may be needed. The recommended model clauses were prepared with a view to facilitating adoption of those provisions by medium-sized enterprises. Larger multi-national enterprises will have more complex needs and sophisticated requirements.

The PCPD provided these examples of other contractual provisions that may need to be considered:

  1. Reporting, audit and inspection rights;
     
  2. Data breach notification obligations; and
     
  3. Compliance support and co-operation.
     

The PCPD also advocates data sharing provisions in data user to data user transfers to clarify the respective roles and responsibilities of the data users and their respective co-operation and co-ordination obligations.

We would typically expect to see liability and indemnification obligations in respect of issues arising from data transfers, though these will be carefully negotiated in each instance.

Other data transfer scenarios

The recommended model clauses were published in May 2022. The model clauses dealt with the scenarios of data user to data user transfers and data user to data processor transfers. This was an improvement on the single scenario of data transfers in the prior PCPD in 2014.

In June 2021, the European Commission published its updated standard contractual clauses under GDPR. This accounted for four scenarios, namely personal data transfers from:

  1. controller to controller;
     
  2. controller to processor;
     
  3. processor to processor; and
     
  4. processor to controller.
     

We can perhaps look forward to revised recommended clauses in future from the PCPD to provide guidance on data processor to data processor and data processor to data user personal data transfers.

Conclusion

Data users have significant and onerous obligations in respect of cross-border data transfers from Hong Kong. There is extensive guidance on how to fulfil those obligations. That guidance has been prepared with a view to adoption by medium-sized enterprises with flexibility to adapt (without diminishing the substantive protection) to account for the overall commercial arrangements. The guidance contemplates that data users will ensure that there are contracts in place in respect of personal data sharing with other data users, and processing arrangements with data processors. These can be in separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial agreement. The form ultimately does not matter; the substance and content does.

The curious case of cross-border data transfers in Hong Kong

The Personal Data (Privacy) Ordinance (the “PDPO”) was passed in 1995 and took effect from December 1996. One of its key provisions was a restriction on cross-border data transfers in section 33. More than 25 years later, section 33 is still not yet in operation.

The history of data privacy in Hong Kong

The PDPO is one of Asia’s longest standing comprehensive data protection laws. The local roots of the legislation are a Law Reform Commission Report published in 1994. The section on transborder data flow is still an interesting read today. The key conclusion was that regulation of transborder data flow is an important feature of comprehensive data protection legislation. The touchstone for the PDPO was the OECD Privacy Guidelines 1980. However, the main source that guided the Law Reform Commission was DireC46/EC (“Directive”) from the EU (then in draft form) on the protection of personal data. Regulation of international data transfer was regulated in Chapter IV of the Directive [[2]].

Hong Kong was at the crest of the wave of modern data privacy laws in 1995 and regulation of cross-border data transfers was a key component of that.

What does section 33 provide?

Section 33 is intended to prohibit the transfer of personal data outside Hong Kong, unless certain conditions are fulfilled. This prohibition is intended to apply to the transfer of personal data from Hong Kong to a place outside Hong Kong, or to the transfer of personal data between two other jurisdictions where the transfer is controlled by a data user[3] [3] in Hong Kong. The basic objective is to ensure that personal data is given a similar level of protection outside Hong Kong, as is provided under the PDPO.

The framework contemplated by section 33 is that the transfer of personal data outside Hong Kong is permitted under certain conditions. The more relevant conditions include:

  1. The personal data transfer will be to a place that the Privacy Commissioner for Personal Data (“PCPD”) has notified has privacy laws substantially similar to, or serving the same purposes as, the PDPO. This is a white list exception that is similar to the adequacy regime under GDPR.
     
  2. The data user has reasonable grounds to believe that the personal data transfer will be to a place that has privacy laws substantially similar to, or serving the same purposes as, the PDPO.
     
  3. The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be held, processed or used in any manner which would breach the PDPO.
     
  4. The data subject has consented in writing to the transfer.
     
  5. The data user has reasonable grounds to believe the data transfer is needed to avoid or mitigate adverse action against the data subject, and it is not practicable to obtain the written consent of the data subject.
     
  6. The personal data in question is exempt from data protection principle (“DPP”) 3, which deals with use limitations on personal data.
     

This basic framework will be familiar to many in the international data protection community. This provision was not as far as the Law Reform Commission had recommended but it was to international standard in 1995.

The progress of the PCPD

The PCPD worked on providing guidance and responding to business concerns.

The intention of the PCPD was to bring section 33 into force as promptly as possible. In 1997, the PCPD stated that one reason for delaying the operation of section 33 was to prepare and issue the guidance on appropriate contractual terms, and accomplishing that task would facilitate the provision being brought into force.

In September 2012, the PCPD published its guidance on outsourcing to data processors.

In December 2013, a consultant commissioned by the PCPD completed a study report, which provided a methodology and criteria for deciding whether different jurisdictions have in force law which is substantially similar to, or serves the same purposes as, the PDPO. The consultant studied the relevant regulations of 50 jurisdictions, and considered that 35 of the jurisdictions could be included in the “white list”. Among them, only two were in Asia, one was in North America, one was in Oceania and the other 31 were in Europe.

On 29 December 2014, the PCPD published its guidance on cross-border data transfer, with recommended model clauses to include in contracts dealing with data transfer. This was a guide for voluntary compliance. The Hong Kong government commissioned a consultant to conduct a business impact assessment study, and the PCPD contributed its comment to that study.

In May 2017, the Constitutional and Mainland Affairs Bureau of the Hong Kong Government reported to the Legislative Council on all measures in respect of section 33 taken to that point.

In November 2018, the PCPD engaged a consultant to consider and propose resolutions to issues identified in the business impact assessment study. The consultant recommended that the PCPD should, amongst others, revise the recommended model clauses in the guidance on cross-border data transfer to enhance practicability and user-friendliness of the guidance and facilitate data users to directly adopt the relevant clauses in data transfer agreements according to their business needs. The brief of the consultant extended to updating the guidance itself.

In January 2020 the Constitutional and Mainland Affairs Bureau of the Hong Kong Government reported to the Legislative Council on proposals to reform and update the PDPO, including six major proposals. No mention was made of the implementation of section 33.

On 12 May 2022, the PCPD published its updated guidance on recommended model contractual clauses, presumably adopting the consultant’s recommendations. The guidance acknowledges that section 33 is not in force, but recommends the adoption of the model contractual clauses on a voluntary basis, especially for small-medium sized enterprises.

Resistance to implementation

Implementation has run into headwinds. The proposal to implement section 33 raised concern from the business community in Hong Kong, particularly from small-medium sized enterprises. Business resistance to change is not unusual and lobbying from the business community is widespread in all parts of the world. However, this is more acute in Hong Kong, which is a jurisdiction made up of one city. The concerns of the business community in Hong Kong are always given substantial weight.

The main concerns revolved the perceived adverse impact on business operations, difficulties in achieving compliance, and the cost of compliance. The fundamental business view, ultimately, was that in the extensive cross-border business activities of Hong Kong, there was no indication that cross-border data transfers had undermined personal data privacy. So, if it ain’t broke, don’t fix it.

A shift in emphasis?

Looking at the chain of communications from the PCPD, and indeed the Hong Kong government, there has been a movement from implementation of section 33 as a clear policy objective, to a certain indifference to whether it is implemented at all.

In 1997, in response to the question of when section 33 would be brought into force, the PCPD responded:

“There is no specific date yet, but the issue of the model contract will facilitate the provision being brought promptly into force” (emphasis added).

In 2014, upon publication of the guidance on cross-border data transfer, the PCPD stated:

“The situation of global data flows is markedly different today than in the 1990s when the Ordinance was enacted … Against this background, the issue of regulating cross-border data flows is becoming more acute than ever before. Countries worldwide are adopting a range of mechanisms to protect the personal data privacy of individuals in the context of cross-border data flows. It is high time for the Administration to have a renewed focus on the implementation of section 33 to ensure that the international status of Hong Kong as a financial centre and a data hub will be preserved.” (emphasis added)

The resistance to implementation from the business community came to the fore in 2017-18, and it took its toll.

In a statement in response to a media enquiry on data localisation in April 2020, the PCPD moderated its position on implementation of section 33:

“(T)he PCPD acknowledges that cross-jurisdiction data flow is the life-blood of our data driven economy.”
 

“The PCPD has also reviewed the latest global regulatory framework on cross-border/boundary data flow and communicated with the Government on the ways forward which best suit the local circumstances in Hong Kong …” (emphasis added).

“Over the years, the PCPD has not received any complaints from individuals or enterprises about the cross-border / boundary data transfer provisions not coming into operation”

In 2014, increased cross-border data flow was a reason for the Government to have a renewed focus on implementing section 33.

In 2020, increased cross-border data flow was seen as the life-blood of Hong Kong’s economy and facilitating that free flow of information was described as an irreplaceable attribute of Hong Kong’s success. Section 33 implementation was then omitted from the agenda of legislative reform of the PDPO.

Protections in Hong Kong for international data transfers

There are protections under Hong Kong law that also apply in the context of cross-border data transfers. These include:

  1. Disclosure and transfer are expressly included in the definition of “use”.
     
  2. A requirement to give notice to explicitly inform data subjects of the classes of persons to whom the data may be transferred (DPP 1(3)).
     
  3. A requirement to obtain the prescribed consent of data subjects for change of use of the personal data collected (DPP 3).
     
  4. A requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from being kept longer than is necessary for processing of the data (DPP 2(3)).
     
  5. A requirement to adopt contractual or other means to prevent personal data transferred to data processors, whether within or outside Hong Kong, from unauthorised or accidental access, processing, erasure, loss or use of the data being transferred for processing (DPP 4(2)).
     
  6. Statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors outside Hong Kong (section 65, PDPO).
     

The future

The future may bring change in respect of section 33. The instrument of change may be the rapid transformation of data privacy laws in mainland China. Mainland China is a separate legal jurisdiction to Hong Kong under the “one country, two systems” principle. The volume of data transfer between Hong Kong and mainland China will increase significantly with deeper integration of business and social life. This will increase the need for an efficient and reliable legal basis for data transfer.

The most efficient and reliable legal basis for data transfers between Hong Kong and mainland China would be an adequacy determination that the protection of personal data in both jurisdictions have a broadly equivalent standard. However, unless section 33 is implemented, Hong Kong does not have a statutory basis on which it could make an adequacy determination. There are alternatives. For instance, the use of recommended model clauses may help, but their adoption will not be uniform nor systematic. There are other governmental means by which this objective could be accomplished, particularly as Hong Kong and mainland China are one country. An adequacy regime will have broader application, and provide more certainty. Ultimately, bringing section 33 into operation in Hong Kong would also be consistent with its status as an international standard bearer, and would also facilitate similar adequacy determinations for other suitable jurisdictions.

Conclusion

It is true to say that there is no statutory restriction in the PDPO on the transfer of personal data outside Hong Kong. It also looks increasingly possible that section 33 may never come into operation in Hong Kong.

This position in Hong Kong may seem out of synch with international trends. The reasons are very specific to Hong Kong, which is why it is a curious and interesting story. Perhaps it is refreshing for a jurisdiction to take the view that an adequacy or equivalent regime is not the right way to go. It certainly offers Hong Kong the prospect of a competitive advantage for the time being. In the long term, the need for efficient and reliable means of transferring personal data with mainland China and internationally may drive change.

Finally, it is not true to say there are no protections under Hong Kong law in respect of cross-border data transfer. Businesses need to be mindful of the obligations that exist, as well as best practice and ethical standards in their governance of personal data.

Hong Kong personal data importers and transfer impact assessments

When a Hong Kong personal data importer receives personal data from a data exporter in another location, it is becoming increasingly common for the data exporter to carry out an assessment of the levels of protection in Hong Kong available for the personal data and corresponding data subjects. The followings investigate on transfer impact assessment.

What is a transfer impact assessment?

A transfer impact assessment is a form of risk assessment undertaken by a data exporter to assess the data privacy and protection risk associated with transferring personal data to a different jurisdiction. Although it is a risk assessment undertaken by the data exporter, the data importer will frequently be required to contribute and legal advice may be needed in the jurisdiction to which the personal data is exported.

The transfer impact assessment comprises a systematic series of questions designed to define the personal data being exported, how it will be processed, and how local laws in the place of the data importer may impact personal data privacy and protection.

A transfer impact assessment shares common features with a privacy impact assessment, but has a narrower focus and a deeper analysis within that area of focus. A privacy impact assessment is a systematic risk assessment tool to evaluate a proposal in respect of its impact upon personal data privacy and protection with the objective of avoiding or minimising adverse impacts. A privacy impact assessment is recommended best practice in respect of any new business initiative or project that may have a significant impact of personal data privacy and protection, regardless of whether the proposal will involve cross-border personal data transfer. A transfer impact assessment is a specific form of impact assessment used if personal data is intended to be exported to a different jurisdiction.

A transfer impact assessment is not mandatory under Hong Kong law. Nonetheless, it is a useful tool if a Hong Kong data user is considering exporting personal data to another jurisdiction. Also, there are a growing number of circumstances in which a Hong Kong business will need to be involved in a transfer impact assessment by virtue of the application of laws of other jurisdictions. This applies most frequently in the case of data exports from the European Economic Area[4] [4] (“EEA”) to Hong Kong.

The origins of transfer impact assessments

The roots of transfer impact assessments are from the decision of the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (the “Schrems II Judgement”). This case revolved around a claim by Mr Schrems that the law and practices in the United States did not offer sufficient protection against access by public authorities to his personal data transferred from the EEA to that country[5][5]. In the course of its judgement, the CJEU found that the essential guarantees under GDPR for personal data must continue to apply in respect of data transfers to non-EEA countries. This is to ensure that the level of protection guaranteed by GDPR is not undermined. This applied in respect of all cross-border personal data transfers, including transfers under safeguards such as standard contractual clauses for personal data protection.

Critically, the CJEU found that this requires an assessment of both:

  1. the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the country concerned; and
     
  2. the relevant aspects of the legal system of the data importing country in respect of access by the public authorities of that country to the personal data transferred.
     

Since the Schrems II Judgement, authorities in the EU have taken a number of steps to clarify the obligations of data exporters transferring personal data outside the EEA. These include:

  1. Framework for cross-border data transfers: This six step framework is a recommended approach adopted by the European Data Protection Board (“EDPB”). These are in summary:
    1. Data exporters must conduct a mapping exercise to understand the key features of all cross-border personal data transfers. Data exporters must also verify that the transferred data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
       
    2. Data exporters must clarify the particular lawful basis of transfer that it relies on. Under GDPR, this may be an adequacy ruling by the European Commission, or another mechanism such as standard contractual clauses, binding corporate rules, or certification.
       
    3. Critically in the context of this article, data exporters must assess if there is anything in the law or practices in force in the jurisdiction of the data importer that impinges on the effectiveness of the appropriate safeguards of the lawful basis of transfer in question. This is explained more below.
       
    4. The data exporter must identify and adopt supplementary measures necessary to bring the level of protection of the personal data transferred up to the EU standard of essential equivalence. If no supplementary measure is suitable, then the data exporter must avoid, suspend or terminate the transfer.
       
    5. The data exporter must take any formal procedural steps the supplementary measure may require.
       
    6. The data exporter must re-evaluate at appropriate intervals the level of protection afforded to the personal data to monitor for relevant developments.
       

     

  2. Statement of European Essential Guarantees: This statement adopted by the EDPB identifies four essential guarantees under EU laws in respect of fundamental rights to privacy from surveillance measures, being namely:
    1. Processing of personal data should be based on clear, precise and accessible rules.
       
    2. Necessity and proportionality must be demonstrated.
       
    3. An independent oversight mechanism should exist.
       
    4. Effective remedies must be available to the individual.
       

     

  3. Updated standard contractual clauses published by the European Commission. The standard contractual clauses are model contract clauses that are pre-approved by the European Commission. An updated set of these clauses was published by the European Commission to take account of the requirements of the Schrems II Judgement. The standard contractual clauses can be supplemented, but they must not be contradicted, by other provisions in contractual arrangements. Relevant clauses in the specific context of transfer impact assessments include:
    1. Local laws and practices (Clause 14); and
       
    2. Obligations of the data importer upon access by public authorities (Clause 15)
       

     

There is now an extensive set of laws and regulations that regulate cross-border personal data transfers from the EEA.

When is a transfer impact assessment needed?

In the context of GDPR, a transfer impact assessment is needed in each case for international personal data transfers. There is an express obligation to this effect in the standard contractual clauses.

Businesses in Hong Kong will need to consider a transfer impact assessment for GDPR purposes in two situations:

  1. Hong Kong data importers from EEA data exporters. Hong Kong data importers are also likely to be required to agree to the new standard contractual clauses and to contribute to a transfer impact assessment in circumstances where it is a data importer of personal data of EEA persons from data exporters in the EEA. This is the most common scenario in our experience.
     
  2. Hong Kong data exporter subject to GDPR. GDPR could apply to a Hong Kong business if it is a data controller or data processor that processes the personal data of persons in the EEA and, in the course of those processing activities, it offers goods or services to data subjects in the EEA; or it monitors the behaviour of data subjects in the EEA (meaning tracking people on the internet).
     
    As GDPR applies to the Hong Kong business in this situation, then the requirements in respect of international personal data transfers under GDPR will also apply. This means the Hong Kong business will need to consider and apply the EDPB six step framework for transfer of personal data of EEA persons to destinations that are not subject to GDPR. In that context, the Hong Kong business will almost inevitably need to conduct transfer impact assessments.
     

What are the key areas of focus in a transfer impact assessment?

The transfer impact assessment will have a series of questions that focus foremost on the laws of the jurisdiction in which the data importer operates and on the practices that public authorities there. Let’s assume, for present purposes, that the destination jurisdiction is Hong Kong.

The assessment is intended to perform a risk assessment and determine:

  1. whether there are laws in Hong Kong that, although they expressly meet EU standards, nonetheless are not applied or complied with in practice
     
  2. whether there are practices incompatible with GDPR requirements which Hong Kong laws do not address; and
     
  3. whether transferred data may fall within the scope of problematic legislation that impinge upon the four essential data privacy guarantees of the EU.
     

These are the specific factors that the standard contractual clauses require to be considered:

  1. Specific circumstances:
    1. the length of the processing chain;
       
    2. the number of actors involved and the transmission channels used;
       
    3. intended onward transfers;
       
    4. the type of recipient;
       
    5. the purpose of processing;
       
    6. the categories and format of the transferred personal data;
       
    7. the economic sector in which the transfer occurs;
       
    8. the storage location of the data transferred.
       

     

  2. Laws and practices of the destination jurisdiction:
    1. laws requiring the disclosure of data to public authorities;
       
    2. laws authorising access to data by public authorities;
       
    3. applicable limitations and safeguards.
       

     

  3. Contractual, technical or organisational safeguards, including measures applied during transmission and to the processing of the personal data in the destination jurisdiction.
     

The transfer impact assessment must be conducted with due diligence and thoroughly documented. It may be a key process that is reviewed by the supervisory authority of the data exporter.

What are the common questions in a transfer impact assessment?

The questions in a transfer impact assessment in respect of the laws and practices of the destination jurisdiction will contain questions such as:

  1. Is there a robust privacy law and data protection framework? Does this framework also include and extend to government authorities?
     
  2. Is there an independent supervisory authority?
     
  3. Is data privacy recognised as a human or constitutional right?
     
  4. Are public authorities allowed access to personal data held by companies for surveillance or enforcement purposes? This will focus on a review of laws in relation to surveillance, intelligence, national security, criminal law enforcement and applicable regulatory supervision in the context of the specific personal data transfer.
     
  5. Are there laws and processes that reflect each of the four essential guarantees of data privacy under EU laws?
     
  6. Are there practices and policies in which published laws are not enforced or which are enforced in the absence of support from published laws?
     
  7. Is there any oversight mechanism before public authority access is permitted?
     
  8. Are there any legal remedies available to data subjects?
     
  9. Are there any other problematic laws or practices in the destination jurisdiction that may be relevant in respect of the data transfer?
     

Are there special concerns in respect of Hong Kong law that may be problematic?

We are quite regularly instructed by EEA data exporters (and sometimes Hong Kong data importers) to assist in the responses to queries in the transfer impact assessment focussed on assessing Hong Kong laws and practices. In general, our experience has been that few issues arise in respect of Hong Kong laws. There is a sophisticated set of laws relating to surveillance, national security and criminal enforcement and sector-specific regulatory supervision. Generally, these laws meet international standards in respect of due process and transparency. The analysis varies according to the specific nature of the personal data transfer and there are some specific points of Hong Kong law that are usually noted. However, Hong Kong would generally not be considered a problematic jurisdiction for personal data exports from the EEA.

What are the consequences of an adverse transfer impact assessment in respect of Hong Kong?

If there is an adverse outcome to a transfer impact assessment, then the data exporter must suspend the personal data transfer or implement adequate supplementary measures. In limited circumstances, the data exporter may be able to proceed without supplementary measures if it is able to demonstrate and document that it has no reason to believe that relevant and problematic legislation will be interpreted or applied in practice in respect of the transferred personal data and data importer.

Supplementary measures include:

  1. Technical measures:

     
  • Encryption
     
  • Anonymisation
     
  • Pseudonymisation
     
  • Split or multi-party processing
     
  • Additional contractual measures:
    1. Contractual obligation to adopt specified technical measures
       
    2. Transparency obligations (reporting, audit, inspection, annual reviews, notifications)
       
    3. Granting rights directly to data subjects
       

     

  • Organisational measures:
    1. Adoption of policies and procedures for data transfer process (including training)
       
    2. Transparency policies
       
    3. Accountability policies (confidentiality and data access limitation)
       
    4. Data minimisation policies (data retention)
       

     

  • Under the standard contractual clauses, the data exporter is entitled to terminate the contract if:

    1. upon suspension of the personal data transfer, compliance is not restored within a reasonable time and in any event within one month of suspension;
       
    2. the data importer is in substantial or persistent breach of the standard contractual clauses; or
       
    3. the data importer fails to comply with a binding decision of a competent court or authority regarding its obligations under the standard contractual clauses.
       

    Transferred personal data must be returned or deleted.

    Other points

    The origins of transfer impact assessments are under GDPR and data exporters from the EEA. However, the concept is spreading and will continue to spread to other systems of law.

    A similar concept has appeared in respect of the Personal Information Protection Law of Mainland China (“PIPL”). The PIPL adopts a consent plus approach to cross-border personal data transfers. The data subject must consent to the export of his personal data. In addition, the data exporter must fulfil one of:

    1. a security assessment by the Cyberspace Administration of China (“CAC”);
       
    2. a technical certification from a CAC-approved certification body; or
       
    3. adopt and enter into standard contractual clauses in respect of the personal data transfer.
       

    A data protection impact assessment is needed for each of these options. The impact assessment must take account of the laws and regulations of the jurisdiction to which the personal data is being transferred and consider whether the level of data protection regulation there meets the corresponding standards under Chinese law. This is broadly similar to a transfer impact assessment, though perhaps with less of an overt emphasis on rights of access by public authorities.

    As we have seen in other aspects of data privacy and protection laws, GDPR has initiated a trend for other systems of law to modernise and adopt similar principles. There will be an increasing need for transfer impact assessments in future.

    Also, there is one additional important point for Hong Kong data importers that agree to standard contractual clauses proposed by EEA data exporters under GDPR. By agreeing to the standard contractual clauses, the data importer agrees to submit itself to the jurisdiction of, and to co-operate with, the competent supervisory authority of the data exporter in any procedures aimed at ensuring compliance with the standard contractual clauses. Hong Kong law will not apply in that regard, even if Hong Kong law may apply in respect of other aspects of the contractual arrangements.

    Conclusion

    We have focussed in this article on inward data transfers to Hong Kong and the obligations of data importers in Hong Kong. These primarily arise under standard contractual clauses for data processing agreements imposed by the data exporter and the transfer impact assessments that are increasingly required by those obligations. Presently, these requirements most commonly arise for Hong Kong data importers of EEA personal data from data exporters subject to GDPR. We expect the scope and prevalence of transfer impact assessments to increase in coming years. We have significant experience in helping EEA data exporters in their assessment of laws and practices in Hong Kong as a destination jurisdiction for EEA personal data. We also regularly help Hong Kong data importers to understand and navigate the often complex and onerous obligations that arise under the standard contractual clauses mandated by the EU Commission for GDPR purposes. We are keeping a watchful eye on data protection impact assessments under the PIPL in China that will require an assessment of Hong Kong laws.


    [[1]] A data user under Hong Kong law is similar to a data controller under GDPR

    [[2]] Subsequently, updated and expanded substantially in Regulation (EU) 2016/679 (General Data Protection Regulation)

    [[3]] A data user under Hong Kong is similar to a data controller under GDPR

    [[4]] The European Economic Area comprises all EU members, plus Iceland, Norway and Liechtenstein

    [[5]] You can read our analysis of this decision on this link