The PCPD has reviewed the latest global regulatory developments on cross-border data flow and will communicate with the Mainland Government on ways forward that best suit Hong Kong’s local circumstances.
Increased cross-border data flow was seen as the life-blood of the business community, and facilitating that free flow of information was viewed as irreplaceable to Hong Kong’s economic success. As a result, there was significant resistance to section 33 implementation, primarily over the perceived adverse impact on business operations and the difficulty of compliance with the requirements. The PCPD therefore shifted its focus from the implementation of section 33 as an important policy objective to a view that it was not necessary to implement such a requirement, given the limited impact on businesses and the fact that the business community was already implementing its own self-imposed requirements to protect personal data when engaging in a cross-border transfer.
If a data exporter has undertaken a transfer impact assessment and it is determined that the foreign jurisdiction’s laws or practices are not adequate, then the data exporter must either suspend the transfer or implement appropriate supplementary measures. Supplementary measures can include technical, behavioural or contractual measures. They can involve techniques such as encryption, anonymisation or pseudonymisation, or split or multi-party processing. They can also include contractual provisions such as obligations to audit, inspection and reporting, beach notification, and compliance support and co-operation. The supplementary measures must bring the level of protection of the transferred personal data up to Hong Kong standards.
The supplemental measures must be documented and implemented, and the data exporter should be able to demonstrate that they will be effective in the particular jurisdiction. This includes the ability to demonstrate that any data exporter that agrees to standard contractual clauses from the EEA will comply with those clauses in practice. The data importer must also agree to submit itself to the jurisdiction of, and to co-operate with, the competent supervisory authority of the data exporter in respect of any procedures aimed at verifying compliance with those clauses.
Finally, the data exporter must review its Personal Information Collection Statement (PICS) to confirm that it has notified its data subjects of the potential transfer and of the underlying reasons. In addition, the data exporter must obtain the voluntary and express consent of each data subject for a change of purpose which would require the transfer of their personal data to the foreign jurisdiction. This requirement is markedly less onerous in Hong Kong than under GDPR.
It is worth noting that there has been some discussion in Hong Kong about moving to a definition of “personal data” that is more like the one used in the EU. Such a move would have consequences for the way in which companies use data and could mean additional compliance requirements, particularly for businesses that engage in activities such as remarketing or data analytics, or that process information that can be linked to a specific individual (such as online identifiers or factors related to a person’s physical, physiological, genetic, mental, economic, cultural or social identity). However, it is unlikely that such a change will occur in the immediate future.