When transferring personal data out of Hong Kong to another jurisdiction, businesses may be required by law to perform a transfer impact assessment (TIA). Furthermore, the PCPD has provided model contractual clauses which must be agreed to by Hong Kong data users in certain instances.
These provisions aim to establish the legal grounds and safeguards for data transfer arrangements, and ensure adequate safeguards are in place during their transfer. They can be included as contractual clauses within commercial agreements of businesses, or schedules to main agreements themselves; ultimately what matters is that these contractual provisions reflect best practice and ethical standards relating to data transfers arrangements.
Data protection law covers any business that collects, stores or processes personal data – this includes activities like sales and marketing campaigns, IT system development/maintenance services and personnel administration as well as outsourcing or cloud computing services provided on behalf of another organization.
Under the PDPO, a “data user” is defined as any person or group who controls the collection, holding, processing or use of personal data – whether individually or jointly and collectively – for whatever purpose. So even though an audience photo at a concert could potentially identify individuals within it, its collection by the PDPO does not count as an act of data collection as its purpose is not for identification of specific people; similarly for CCTV recordings, records of car park users entering/exiting and minutes from meetings that do not identify individual participants as data users or collect.
Due to this definition, the PDPO does not contain a statutory restriction on the transfer of personal data outside Hong Kong – unlike similar legislation such as China’s Personal Information Protection Law or European Economic Area’s GDPR which do.
However, this does not indicate that Hong Kong is free of potential issues regarding data export. As Hong Kong businesses increasingly need to comply with TDIAs of other jurisdictions and incorporate standard contractual clauses from these TDIAs into their commercial agreements, incorporating TDIAs is becoming a daily occurrence. Particularly relevant is transferring data to mainland China, which has its own independent laws on data privacy. TDIAs and model contractual clauses aim to make Hong Kong business more cost-competitive in an international economy by guaranteeing data transfers are carried out legally with no uncertainty and compliance issues. Businesses will find this approach invaluable in building trust with consumers and strengthening their standing as business partners. Furthermore, this will encourage further investments into Hong Kong’s telecom sector which has experienced weakening demand recently – essential if Hong Kong wishes to retain its regional status as a hub for data processing and exchange.