Categories: Gambling

Cross-Border Transfer of Personal Data From Hong Kong to Other Jurisdictions

A key element of a data privacy compliance strategy is managing cross-border transfer risks. In this article, Padraig Walsh from Tanner De Witt explains the issues that need to be considered when moving personal data around the world.

There is a range of requirements that apply when transferring personal data from Hong Kong to other jurisdictions. Some are based on the PDPO’s six core data protection principles, others are specific to a particular type of processing activity (such as offering goods and services to data subjects in another jurisdiction or monitoring the behaviour of people in that jurisdiction). Some require specific contracts. Others, such as the obligation to carry out a data impact assessment, are based on a mandatory process.

The first step in understanding the rules is to determine whether the data in question falls within the scope of a PDPO data protection regime. This depends on the nature of the data and the intention of the person acquiring it. If the data is not personal data, then no PICS requirement arises and issues in respect of data transfer do not necessarily come into play.

PDPO definition of personal data

The PDPO defines ‘personal data’ as information relating to an identifiable person. This definition is broadly consistent with international norms and is similar to that used in other regulatory regimes – for example, the Personal Information Protection Law in mainland China or the General Data Protection Regulation in the EU.

PDPO rules on data user obligations

When collecting personal data, a PDPO data user must explicitly inform the data subject on or before collection of the purposes for which his personal data will be used and of the classes of persons to whom the personal data may be transferred. This requirement is a fundamental aspect of the PDPO and it is important to remember that transfer is a form of use.

PDPO rules on data processors

The PCPD publishes recommended model contractual clauses that are intended to be included in the contracts that cover transfers of personal data. These are designed to take into account the six core PDPO principles and a series of specific rules in relation to data processing activities, including the requirement not to keep personal data for longer than is necessary for the purpose of the processing and that the data processed by a processor is accurate, up-to-date and relevant.

Data exporter supplementary measures

If an adequacy assessment indicates that the legislation and practices of a foreign jurisdiction do not meet the standards required under the PDPO, a data exporter may be required to implement supplementary measures in respect of the personal data transferred. These might include technical measures such as encryption or pseudonymisation, or more detailed contractual provisions on audit and inspection, beach notification, and compliance support and cooperation.

As the rules in this area are complex and constantly evolving, it is important for businesses to have a clear understanding of what is required. This can help reduce business risk and ensure efficient compliance with these rules, particularly for those conducting international transactions.

Article info