If your company operates in Hong Kong, it will be subject to data privacy regulation – and that includes rules on transferring personal information overseas. Padraig Walsh from the Tanner De Witt Data Privacy team explains how to comply with these regulations when transferring data between locations.
Padraig Walsh (PhD) is a Partner at Tanner De Witt in Hong Kong. His practice focuses on data protection and privacy, with an emphasis on the regulatory and transactional aspects of cross-border data transfers. His areas of expertise include cross-border data transfers and international transfer pricing.
As the volume of business and social interaction continues to grow globally, businesses must develop efficient and reliable ways to share personal information with clients, suppliers and other partners. This requires a thorough understanding of the rules and regulations around this type of cross-border data transfer to reduce business risk and promote efficient compliance.
The current statutory framework for personal data transfers in Hong Kong is the PDPO, which was introduced in 1996 and has been amended several times, most recently in 2012 and 2021. It imposes rights on individuals and specific obligations on data controllers, through six data protection principles.
One key principle is that a data user must have a lawful basis for any transfer of personal data. This is a requirement which must be taken into account in any discussion about cross-border data transfers, although the process of establishing this lawful basis can be complex and time-consuming.
In addition to establishing a lawful basis for the transfer, a data user must also provide a PICS and obtain the voluntary and express consent of the data subject before he can transfer personal data outside Hong Kong for use in a new purpose that is not set out in the PICS. This is a significant obligation, although it is less onerous than the process of obtaining the consent required under GDPR.
A further requirement of the PDPO is that a data user must record and keep all information in respect of a transfer of personal data, including the name of the data importer, the destination country, the purposes of the transfer and the lawful basis used. This is a substantial burden, although it does help to ensure that data transfers are undertaken fairly and with the requisite level of transparency.
Despite the perceived difficulties of implementing section 33, it appears that the Government is unlikely to change its position on this issue in the short term, particularly given the increasing volume of business activities between Hong Kong and mainland China under the “one country, two systems” principle. However, the need for efficient and reliable means of transferring personal data with mainland China and internationally may drive change in the future. If this happens, it could lead to an even tighter regulatory framework for data transfers in Hong Kong. Until then, it is advisable to continue to operate with the assumption that this provision will be implemented in the near future.