Data transfers involve any transfer of personal data from a data user in Hong Kong to third parties outside Hong Kong, whether or not there is an agreement in place between parties involved. Transferring data may be problematic due to laxer privacy regulations in the destination jurisdiction and increased risks of processing or accidental loss of personal information; cultural or legal differences could make enforcement of data protection rights difficult as well.
To combat these challenges, the PCPD has devised in its guidelines a set of principles to assist data users when it comes to the transfer of personal data. These include informing data subjects before or upon collection their data of its purpose(s) for usage and the classes of persons to which it may be transferred (DPP 2(3)). Furthermore, data users may not permit third parties to process this personal data in ways which go against those purposes (DPP 2(4)).
Additionally, data importers must submit to and cooperate with any procedures undertaken by the competent supervisory authority of their data exporter to ensure compliance with standard contractual clauses (DPP 6(1)). Furthermore, according to these same provisions they must take reasonable measures to ensure any subprocessors they appoint comply with their security obligations (DPP 4(2)).
Finally, data importers must ensure that their contracts with their processors do not allow for the transfer of personal data outside Hong Kong without first receiving prior written consent of data subjects, unless this is essential to fulfilling contractual obligations or permitted under relevant legislation (DPP 5(2)).
Data protection in Hong Kong and elsewhere is of vital concern, with PCPD guidelines providing guidance for data users when transferring personal information across borders. While not comprehensive, these principles provide an essential first step toward safeguarding personal information. But there remain other obstacles we need to address if we want to ensure that personal data is secure in the future. In particular, we must gain a better understanding of issues facing jurisdictions other than Hong Kong with which it shares special relationships. As such, this will enable us to identify and resolve problems likely to surface in the near future. Furthermore, we must work with other countries on developing an accordant framework for data transfer consistent with GDPR. It will also assist us in developing international agreements on data transfer between jurisdictions that aren’t bound by GDPR, helping ensure a consistent approach to enforcement – ultimately our aim should be to protect all personal data wherever it lands.