Data Transfers: Hong Kong personal data importers and transfer impact assessments

When a Hong Kong personal data importer receives personal data from a data exporter in another location, it is becoming increasingly common for the data exporter to carry out an assessment of the levels of protection in Hong Kong available for the personal data and corresponding data subjects. Pádraig Walsh from our Data Privacy practice explains more about transfer impact assessments in this article.

What is a transfer impact assessment?

A transfer impact assessment is a form of risk assessment undertaken by a data exporter to assess the data privacy and protection risk associated with transferring personal data to a different jurisdiction. Although it is a risk assessment undertaken by the data exporter, the data importer will frequently be required to contribute and legal advice may be needed in the jurisdiction to which the personal data is exported.

The transfer impact assessment comprises a systematic series of questions designed to define the personal data being exported, how it will be processed, and how local laws in the place of the data importer may impact personal data privacy and protection.

A transfer impact assessment shares common features with a privacy impact assessment, but has a narrower focus and a deeper analysis within that area of focus. A privacy impact assessment is a systematic risk assessment tool to evaluate a proposal in respect of its impact upon personal data privacy and protection with the objective of avoiding or minimising adverse impacts. A privacy impact assessment is recommended best practice in respect of any new business initiative or project that may have a significant impact of personal data privacy and protection, regardless of whether the proposal will involve cross-border personal data transfer. A transfer impact assessment is a specific form of impact assessment used if personal data is intended to be exported to a different jurisdiction.

A transfer impact assessment is not mandatory under Hong Kong law. Nonetheless, it is a useful tool if a Hong Kong data user is considering exporting personal data to another jurisdiction. Also, there are a growing number of circumstances in which a Hong Kong business will need to be involved in a transfer impact assessment by virtue of the application of laws of other jurisdictions. This applies most frequently in the case of data exports from the European Economic Area[1] (“EEA”) to Hong Kong.

The origins of transfer impact assessments

The roots of transfer impact assessments are from the decision of the Court of Justice of the European Union (“CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (the “Schrems II Judgement”). This case revolved around a claim by Mr Schrems that the law and practices in the United States did not offer sufficient protection against access by public authorities to his personal data transferred from the EEA to that country[2]. In the course of its judgement, the CJEU found that the essential guarantees under GDPR for personal data must continue to apply in respect of data transfers to non-EEA countries. This is to ensure that the level of protection guaranteed by GDPR is not undermined. This applied in respect of all cross-border personal data transfers, including transfers under safeguards such as standard contractual clauses for personal data protection.

Critically, the CJEU found that this requires an assessment of both:

1. the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the country concerned; and
    
2. the relevant aspects of the legal system of the data importing country in respect of access by the public authorities of that country to the personal data transferred.

Since the Schrems II Judgement, authorities in the EU have taken a number of steps to clarify the obligations of data exporters transferring personal data outside the EEA. These include:

1. Framework for cross-border data transfers: This six step framework is a recommended approach adopted by the European Data Protection Board (“EDPB”). These are in summary:
    
   1. Data exporters must conduct a mapping exercise to understand the key features of all cross-border personal data transfers. Data exporters must also verify that the transferred data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
       
   2. Data exporters must clarify the particular lawful basis of transfer that it relies on. Under GDPR, this may be an adequacy ruling by the European Commission, or another mechanism such as standard contractual clauses, binding corporate rules, or certification.
       
   3. Critically in the context of this article, data exporters must assess if there is anything in the law or practices in force in the jurisdiction of the data importer that impinges on the effectiveness of the appropriate safeguards of the lawful basis of transfer in question. This is explained more below.
       
   4. The data exporter must identify and adopt supplementary measures necessary to bring the level of protection of the personal data transferred up to the EU standard of essential equivalence. If no supplementary measure is suitable, then the data exporter must avoid, suspend or terminate the transfer.
       
   5. The data exporter must take any formal procedural steps the supplementary measure may require.
       
   6. The data exporter must re-evaluate at appropriate intervals the level of protection afforded to the personal data to monitor for relevant developments.
       
2. Statement of European Essential Guarantees: This statement adopted by the EDPB identifies four essential guarantees under EU laws in respect of fundamental rights to privacy from surveillance measures, being namely:
    
   1. Processing of personal data should be based on clear, precise and accessible rules.
       
   2. Necessity and proportionality must be demonstrated.
       
   3. An independent oversight mechanism should exist.
       
   4. Effective remedies must be available to the individual.
       
3. Updated standard contractual clauses published by the European Commission. The standard contractual clauses are model contract clauses that are pre-approved by the European Commission. An updated set of these clauses was published by the European Commission to take account of the requirements of the Schrems II Judgement. The standard contractual clauses can be supplemented, but they must not be contradicted, by other provisions in contractual arrangements. Relevant clauses in the specific context of transfer impact assessments include:
    
   1. Local laws and practices (Clause 14); and
       
   2. Obligations of the data importer upon access by public authorities (Clause 15)
       

   There is now an extensive set of laws and regulations that regulate cross-border personal data transfers from the EEA.

   When is a transfer impact assessment needed?

   In the context of GDPR, a transfer impact assessment is needed in each case for international personal data transfers. There is an express obligation to this effect in the standard contractual clauses.

   Businesses in Hong Kong will need to consider a transfer impact assessment for GDPR purposes in two situations:

   1. Hong Kong data importers from EEA data exporters. Hong Kong data importers are also likely to be required to agree to the new standard contractual clauses and to contribute to a transfer impact assessment in circumstances where it is a data importer of personal data of EEA persons from data exporters in the EEA. This is the most common scenario in our experience.
       
   2. Hong Kong data exporter subject to GDPR. GDPR could apply to a Hong Kong business if it is a data controller or data processor that processes the personal data of persons in the EEA and, in the course of those processing activities, it offers goods or services to data subjects in the EEA; or it monitors the behaviour of data subjects in the EEA (meaning tracking people on the internet).
       
      As GDPR applies to the Hong Kong business in this situation, then the requirements in respect of international personal data transfers under GDPR will also apply. This means the Hong Kong business will need to consider and apply the EDPB six step framework for transfer of personal data of EEA persons to destinations that are not subject to GDPR. In that context, the Hong Kong business will almost inevitably need to conduct transfer impact assessments.
       

   What are the key areas of focus in a transfer impact assessment?

   The transfer impact assessment will have a series of questions that focus foremost on the laws of the jurisdiction in which the data importer operates and on the practices that public authorities there. Let’s assume, for present purposes, that the destination jurisdiction is Hong Kong.

   The assessment is intended to perform a risk assessment and determine:

   1. whether there are laws in Hong Kong that, although they expressly meet EU standards, nonetheless are not applied or complied with in practice
       
   2. whether there are practices incompatible with GDPR requirements which Hong Kong laws do not address; and
       
   3. whether transferred data may fall within the scope of problematic legislation that impinge upon the four essential data privacy guarantees of the EU.
       

   These are the specific factors that the standard contractual clauses require to be considered:

   1. Specific circumstances:
       
      1. the length of the processing chain;
          
      2. the number of actors involved and the transmission channels used;
          
      3. intended onward transfers;
          
      4. the type of recipient;
          
      5. the purpose of processing;
          
      6. the categories and format of the transferred personal data;
          
      7. the economic sector in which the transfer occurs;
          
      8. the storage location of the data transferred.
          
   2. Laws and practices of the destination jurisdiction:
      1. laws requiring the disclosure of data to public authorities;
          
      2. laws authorising access to data by public authorities;
          
      3. applicable limitations and safeguards.
          
   3. Contractual, technical or organisational safeguards, including measures applied during transmission and to the processing of the personal data in the destination jurisdiction.
       

   The transfer impact assessment must be conducted with due diligence and thoroughly documented. It may be a key process that is reviewed by the supervisory authority of the data exporter.

   What are the common questions in a transfer impact assessment?

   The questions in a transfer impact assessment in respect of the laws and practices of the destination jurisdiction will contain questions such as:

   • Is there a robust privacy law and data protection framework? Does this framework also include and extend to government authorities?
      
   • Is there an independent supervisory authority?
      
   • Is data privacy recognised as a human or constitutional right?
      
   • Are public authorities allowed access to personal data held by companies for surveillance or enforcement purposes? This will focus on a review of laws in relation to surveillance, intelligence, national security, criminal law enforcement and applicable regulatory supervision in the context of the specific personal data transfer.
      
   • Are there laws and processes that reflect each of the four essential guarantees of data privacy under EU laws?
      
   • Are there practices and policies in which published laws are not enforced or which are enforced in the absence of support from published laws?
      
   • Is there any oversight mechanism before public authority access is permitted?
      
   • Are there any legal remedies available to data subjects?
      
   • Are there any other problematic laws or practices in the destination jurisdiction that may be relevant in respect of the data transfer?

   Are there special concerns in respect of Hong Kong law that may be problematic?

   We are quite regularly instructed by EEA data exporters (and sometimes Hong Kong data importers) to assist in the responses to queries in the transfer impact assessment focussed on assessing Hong Kong laws and practices. In general, our experience has been that few issues arise in respect of Hong Kong laws. There is a sophisticated set of laws relating to surveillance, national security and criminal enforcement and sector-specific regulatory supervision. Generally, these laws meet international standards in respect of due process and transparency. The analysis varies according to the specific nature of the personal data transfer and there are some specific points of Hong Kong law that are usually noted. However, Hong Kong would generally not be considered a problematic jurisdiction for personal data exports from the EEA.

   What are the consequences of an adverse transfer impact assessment in respect of Hong Kong?

   If there is an adverse outcome to a transfer impact assessment, then the data exporter must suspend the personal data transfer or implement adequate supplementary measures. In limited circumstances, the data exporter may be able to proceed without supplementary measures if it is able to demonstrate and document that it has no reason to believe that relevant and problematic legislation will be interpreted or applied in practice in respect of the transferred personal data and data importer.

   Supplementary measures include:

   1. Technical measures:
       
      1. Encryption
          
      2. Anonymisation
          
      3. Pseudonymisation
          
      4. Split or multi-party processing
          
   2. Additional contractual measures:
       
      1. Contractual obligation to adopt specified technical measures
          
      2. Transparency obligations (reporting, audit, inspection, annual reviews, notifications)
          
      3. Granting rights directly to data subjects
          
   3. Organisational measures:
       
      1. Adoption of policies and procedures for data transfer process (including training)
          
      2. Transparency policies
          
      3. Accountability policies (confidentiality and data access limitation)
          
      4. Data minimisation policies (data retention)
          

   Under the standard contractual clauses, the data exporter is entitled to terminate the contract if:

   1. upon suspension of the personal data transfer, compliance is not restored within a reasonable time and in any event within one month of suspension;
       
   2. the data importer is in substantial or persistent breach of the standard contractual clauses; or
       
   3. The data importer fails to comply with a binding decision of a competent court or authority regarding its obligations under the standard contractual clauses.
       

   Transferred personal data must be returned or deleted.

   Other points

   The origins of transfer impact assessments are under GDPR and data exporters from the EEA. However, the concept is spreading and will continue to spread to other systems of law.

   A similar concept has appeared in respect of the Personal Information Protection Law of Mainland China (“PIPL”). The PIPL adopts a consent plus approach to cross-border personal data transfers. The data subject must consent to the export of his personal data. In addition, the data exporter must fulfil one of:

   1. a security assessment by the Cyberspace Administration of China (“CAC”);
       
   2. a technical certification from a CAC-approved certification body; or
       
   3. adopt and enter into standard contractual clauses in respect of the personal data transfer.
       

   A data protection impact assessment is needed for each of these options. The impact assessment must take account of the laws and regulations of the jurisdiction to which the personal data is being transferred and consider whether the level of data protection regulation there meets the corresponding standards under Chinese law. This is broadly similar to a transfer impact assessment, though perhaps with less of an overt emphasis on rights of access by public authorities.

   As we have seen in other aspects of data privacy and protection laws, GDPR has initiated a trend for other systems of law to modernise and adopt similar principles. There will be an increasing need for transfer impact assessments in future.

   Also, there is one additional important point for Hong Kong data importers that agree to standard contractual clauses proposed by EEA data exporters under GDPR. By agreeing to the standard contractual clauses, the data importer agrees to submit itself to the jurisdiction of, and to co-operate with, the competent supervisory authority of the data exporter in any procedures aimed at ensuring compliance with the standard contractual clauses. Hong Kong law will not apply in that regard, even if Hong Kong law may apply in respect of other aspects of the contractual arrangements.

   Conclusion

   We have focussed in this article on inward data transfers to Hong Kong and the obligations of data importers in Hong Kong. These primarily arise under standard contractual clauses for data processing agreements imposed by the data exporter and the transfer impact assessments that are increasingly required by those obligations. Presently, these requirements most commonly arise for Hong Kong data importers of EEA personal data from data exporters subject to GDPR. We expect the scope and prevalence of transfer impact assessments to increase in coming years. We have significant experience in helping EEA data exporters in their assessment of laws and practices in Hong Kong as a destination jurisdiction for EEA personal data. We also regularly help Hong Kong data importers to understand and navigate the often complex and onerous obligations that arise under the standard contractual clauses mandated by the EU Commission for GDPR purposes. We are keeping a watchful eye on data protection impact assessments under the PIPL in China that will require an assessment of Hong Kong laws too. We at Tanner De Witt are ready to help you.

   Pádraig Walsh

   If you would like to discuss any of the matters raised in this article, please contact:

   Pádraig Walsh
   Partner | E-mail

   Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

   ---

   [1] The European Economic Area comprises all EU members, plus Iceland, Norway and Liechtenstein.

   [2] You can read our analysis of this decision on this link

   Padraig Walsh, Data Privacy, Latest News, News & Media, Legal Updates, TDW Tech Talk, Cybersecurity