Home / News & Media / Latest News / Data Transfers: Protecting personal data by contractual means

Data Transfers: Protecting personal data by contractual means

04Nov2022

The personal data protection regime in Hong Kong does not contain a statutory restriction on the transfer of personal data outside Hong Kong. However, this does not mean that there are no protections in respect of cross-border personal data transfers. In this article, Pádraig Walsh from our Data Privacy practice explains the use of contracts to protect personal data in cross-border data transfers from Hong Kong.

What are data users?

A data user is a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the personal data. Control is a key word here. Also, a person is not a data user if he does not hold, process or use personal data for any of his own purposes.

A data user is the broadly equivalent term in the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”) to “data controller” under GDPR and in other jurisdictions. However, the definition of data controller under GDPR expressly requires that the data controller determines the purposes and means of processing, which again is a technical difference.

If a person is a data user, then this triggers the obligations of the data user to fulfil a range of statutory obligations under the PDPO. These obligations include a primary role in protecting personal data in cross-border personal data transfers conducted by the data user, whether to another data user or to a data processor.

What are data processors?

Technically, a data processor is a person who processes personal data on behalf of another person (a data user[1]), instead of for his own purposes. A data processing arrangement is typically for specific purposes and in relation to specific services offered by the data processor to the data user. In Hong Kong, processing includes amending, augmenting, deleting or rearranging the data, whether by automated means or otherwise.

It always helps to make concepts concrete. Here are some common examples of data processors:

  • outsourced payroll service providers;
  • cloud service providers;
  • HR consultants;
  • marketing agencies;
  • CRM service providers;
  • outsourced call centres; and
  • third party document shredder / destruction providers.

The role of the data processor is important in society but arrangements with data processors can be difficult to navigate and regulate.

Regulation of data processors in Hong Kong

The Privacy Commissioner for Personal Data in Hong Kong (“PCPD”) does not directly regulate data processors. Instead, data users are required to ensure that their data processors meet certain requirements under Hong Kong data protection laws. Data users are required to adopt contractual or other means to:

  • prevent the data processor from keeping personal data for longer than is necessary (Data Protection Principle (“DPP”) 2); and
     
  • prevent unauthorised or accidental access, processing, erasure, loss or use of personal data (DPP 4).

There is also statutory recognition that a data user is responsible and liable for the acts of his agents, which includes data processors whether inside or outside Hong Kong (section 65, PDPO).

Regulation of data transfers

Disclosure and transfer are expressly included in the definition of “use” in the PDPO. This is important, as it links to requirements of data users that collect personal data. A data user must give notice to explicitly inform data subjects of the purpose (in general or specific terms) for which the personal data is to be used and the classes of persons to whom the data may be transferred (DPP 1(3)). This means that a data user should inform data subject on or before collecting personal data that it intends to transfer the personal data to other data users or to use data processors to perform some of the purposes for which the personal data was collected. The data user must obtain the prescribed consent of data subjects before using personal data collected for a new purpose (DPP 3).

Contractual means

The most common means for a data user to protect personal data transferred in a cross-border data transfer is by written contract. This can be either a contract that covers data privacy and protection as part of the terms for the entire commercial arrangement or a contract that deals specifically with data privacy and protection. This is a good practice for a number of reasons. It demonstrates proper due diligence and compliance with the statutory obligations of the data user. It enables the data user to bring a claim against the data transferee (whether data user or data processor) for breach of contract relating to data privacy and protection obligations.

Recommended model contractual clauses

The Hong Kong Privacy Commissioner for Personal Data (“PCPD”) has published two sets of recommended model contractual clauses. These cater for two scenarios, being the transfer of personal data from one data user to another data user and the transfer of personal data from a data user to its data processor. The recommended model clauses address the transfer of personal data from a Hong Kong entity to another entity outside Hong Kong; or between two entities both of which are outside Hong Kong when the transfer is controlled by a Hong Kong data user. The focus is upon cross-border data transfers of personal data that must take into account the requirements of the PDPO and its DPPs. Specifically, the purpose is to ensure adequate protection is given to the personal data as provided under the PDPO as if the personal data concerned were not transferred outside Hong Kong.

The complete verbatim adoption of the recommended model clauses is not mandatory. The PCPD has recognised that data exporters are free to use alternative wording which in substance is consistent with the requirements of the PDPO. This is different to the approach adopted under GDPR in respect of standard contractual clauses for international data transfers. In fact, the PCPD has expressly stated that its recommended model clauses are not intended to satisfy the requirements of GDPR or to be considered as  alternatives to the standard contractual clauses of the European Commission in respect of the GDPR.

Recommended model clauses – Data user to date user transfers

In a personal data transfer from one data user to another data user, the transferor and the transferee will both use the personal data for their separate business purposes. This may arise, for instance, in a data sharing collaboration for their respective business activities. The recommended model clauses do not particularly account for whether the data users in question are independent data users (that is, operating independently in respect of the personal data), or joint data users (that is, making joint decisions in respect of the personal data).

In summary, the recommended model clauses provide:

  1. The transferring data user gives a warranty that the personal data is transferred in accordance with the PDPO, provided that the receiving data user complies with its undertakings in respect of the transferred personal data.
     
  2. The receiving data user then gives a series of warranties and undertakings, including to:
     
    1. only use the transferred personal data for prescribed purposes of transfer agreed with the transferor and for which the personal data was collected by the transferor;
       
    2. ensure that the transferred personal data is adequate but not excessive for those prescribed purposes;
       
    3. follow prescribed security measures in respect of the transferred personal data;
       
    4. not retain the transferred personal data for longer than is necessary for the fulfilment of the prescribed purposes of transfer;
       
    5. erase the transferred personal data once it is no longer necessary for the fulfilment of the prescribed purposes of transfer;
       
    6. ensure the transferred personal data is accurate and that any inaccurate personal data is rectified or erased;
       
    7. ensure that data subjects can access its policies and practices in relation to the transferred personal data;
       
    8. not conduct any onward transfer of the transferred personal data unless it is expressly agreed with the transferring data user;
       
    9. ensure that each onward transfer recipient enters into an appropriate data sharing agreement or data processing agreement with similar data protection obligations; and
       
    10. not use or hold the transferred personal data or permit any onward transfer recipient to use or hold the transferred personal data in a place outside Hong Kong other than places that have been expressly agreed with the transferring data user.
       
  3. The data users respectively undertake to comply with their respective obligations in respect of data access and correction requests made by data subjects.
     
  4. If the prescribed purposes of transfer include direct marketing, then the receiving data user undertakes to cease using transferred personal data for direct marketing upon written notice from the transferring data user.
     
  5. There is also a data transfer schedule which allows the data users to set out particulars of:
     
    1. the transferred personal data;
       
    2. data transfer purposes;
       
    3. permitted jurisdictions;
       
    4. retention periods;
       
    5. permitted onward transfer recipients and related terms;
       
    6. security measures; and
       
    7. data subject access and correction requests.

Commentary

These recommended model clauses are coherent and well-prepared. Nonetheless, they are not mandatory and the PCPD has acknowledged that account may be taken for commercial considerations (provided the substantive effect of the recommended model clauses is preserved). It is likely that legitimate commercial concerns will require that the recommended model clauses may need to be amended.

The approach to data subject rights required by these recommended model clauses would require collaboration with and support from the transferring data user to ensure the receiving data user can fulfil obligations that require direct communication with data subjects.

On a practical commercial negotiation level, it can be difficult to retain express references to the PDPO in circumstances where the governing law of the overall commercial arrangements is not Hong Kong law. This issue would be more problematic in respect of agreements for onward data transfer. Normally, the drafting compromise is to reflect the substance of the obligations without direct reference to the governing statute.

It is also ironic that the recommended model clauses restrict transfer of personal data to permitted jurisdictions. On the one hand, this approach does reflect recommended best practice and supports the focus on ensuring adequate levels of protection for the transferred personal data. On the other hand, this arises under a legislative regime that does not expressly or directly restrict the cross-border transfer of personal data.

Recommended model clauses – Data user to data processor transfers

In a personal data transfer from a data user to its data processor, the data processor must use the transferred personal data only for processing purposes on behalf of the data user, instead of for its own purposes.

In summary, the recommended model clauses provide that the data processor undertakes to:

  1. only process the transferred personal data for prescribed purposes of transfer designated by the transferring data user;
     
  2. ensure that the transferred personal data is adequate but not excessive for those prescribed purposes;
     
  3. follow prescribed security measures in respect of the transferred personal data;
     
  4. not retain the transferred personal data for longer than is necessary for the processing required by the data user;
     
  5. erase the transferred personal data, once it is no longer necessary for the processing required by the data user, or if instructed to erase by the data user;
     
  6. ensure the transferred personal data is accurate and that any inaccurate personal data is rectified or erased;
     
  7. not transfer the transferred personal data to a sub-processor unless it is expressly agreed with the transferring data user;
     
  8. ensure that each sub-processor enters into a data processing agreement with similar data protection obligations; and
     
  9. not use or hold the transferred personal data, or permit any sub-processor to use or hold the transferred personal data, in a place outside Hong Kong other than places that have been expressly agreed with the transferring data user.

There is also a data transfer schedule which allows the data user and data processor to set out particulars of:

  1. the transferred personal data;
     
  2. data transfer purposes;
     
  3. permitted jurisdictions;
     
  4. retention periods;
     
  5. permitted sub-processors and related terms; and
     
  6. security measures.

Many of our comments in respect of the data user to data user recommended model clauses apply to these provisions. In particular, it is unusual – and perhaps misconceived – that the data processor is required to undertake that the transferred personal data is adequate but not excessive for the agreed processing purposes. This is a process that is ultimately controlled by the data user and is typically an obligation that the data user must perform.

The receiving data processor is frequently not in direct contact or communication with the data subject as it was not the party that collected the personal data. Consequently, the receiving data processor may not be in a position to review the continuing accuracy of the transferred personal data.

We could envisage that the data processor may provide information and guidance to the data user on the needs of the data processor for the data processing activities. However, this should not change the primary obligation of the data user.

Additional contractual measures

The PCPD has recognised that the recommended model clauses are not a complete solution for all cross-border data privacy and protection issues. Other contractual provisions may be needed. The recommended model clauses were prepared with a view to facilitating adoption of those provisions by medium-sized enterprises. Larger multi-national enterprises will have more complex needs and sophisticated requirements.

The PCPD provided these examples of other contractual provisions that may need to be considered:

  1. Reporting, audit and inspection rights;
     
  2. Data breach notification obligations; and
     
  3. Compliance support and co-operation.

The PCPD also advocates data sharing provisions in data user to data user transfers to clarify the respective roles and responsibilities of the data users and their respective co-operation and co-ordination obligations.

We would typically expect to see liability and indemnification obligations in respect of issues arising from data transfers, though these will be carefully negotiated in each instance.

Other data transfer scenarios

The recommended model clauses were published in May 2022. The model clauses dealt with the scenarios of data user to data user transfers and data user to data processor transfers. This was an improvement on the single scenario of data transfers in the prior PCPD in 2014.

In June 2021, the European Commission published its updated standard contractual clauses under GDPR. This accounted for four scenarios, namely personal data transfers from:

  1. controller to controller;
     
  2. controller to processor;
     
  3. processor to processor; and
     
  4. processor to controller.

We can perhaps look forward to revised recommended clauses in future from the PCPD to provide guidance on data processor to data processor and data processor to data user personal data transfers.

Conclusion

Data users have significant and onerous obligations in respect of cross-border data transfers from Hong Kong. There is extensive guidance on how to fulfil those obligations. That guidance has been prepared with a view to adoption by medium-sized enterprises with flexibility to adapt (without diminishing the substantive protection) to account for the overall commercial arrangements. The guidance contemplates that data users will ensure that there are contracts in place in respect of personal data sharing with other data users, and processing arrangements with data processors. These can be in separate agreements, schedules to the main commercial agreement or as contractual provisions within the main commercial agreement. The form ultimately does not matter; the substance and content does. We at Tanner De Witt can help you.

Pádraig Walsh

If you would like to discuss any of the matters raised in this article, please contact:

Pádraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

[1] A data user under Hong Kong law is similar to a data controller under GDPR

Padraig Walsh, Data Privacy, Latest News, News & Media, Legal Updates, Corporate and Commercial Law, TDW Tech Talk, Cybersecurity