Amid the growing global recognition of data as a valuable asset, there is an increased need to ensure that personal data is properly managed and secured. This is not only to protect the privacy of individuals, but also to facilitate business development and ensure a fair marketplace.
As a result, there has been a proliferation of laws and regulations designed to protect the use and transfer of personal data. These laws include the Hong Kong Personal Data Protection Ordinance (PDPO), the European Union General Data Protection Regulation (“GDPR”), and various other national or regional data protection legislation.
While the laws are diverse, they all have common features in terms of their broad based application, rigorous enforcement and significant penalties for non-compliance. In addition, the laws are continuously being amended to reflect new technologies, changing social and business practices, and the latest international best practice.
For example, the GDPR was amended in 2021 to strengthen its enforcement powers, and the PDPO was updated to clarify its definition of “personal data” and add an additional exemption to the mandatory data transfer requirement. In addition, the PDPO was amended in 2012 and 2021 to address new uses of personal data, including for direct marketing and the act of disclosing personal information without consent (“doxxing”).
One key aspect is the mandatory requirement under the PDPO that data users must carry out a transfer impact assessment before transferring personal data abroad. This involves evaluating whether the level of data protection offered by the jurisdiction to which the data is being transferred is adequate. If not, the PDPO requires the data user to either suspend the transfer or implement adequate supplementary measures.
A transfer impact assessment is a complex exercise that takes into account many different factors, including the purpose of the transfer, how the data will be used in the recipient country, and the impact of the transfer on the rights of data subjects in Hong Kong. It is not uncommon for businesses to face challenges when implementing a transfer impact assessment.
There are some practical ways to help business meet these requirements. For example, the PCPD has published guidance on how to fulfill these obligations with recommended model clauses for inclusion in contracts dealing with cross-border transfers. These can be incorporated as separate agreements or schedules to the main commercial arrangements, or they can be included in contractual provisions within the overall commercial arrangement. The form ultimately does not matter; it is the substance and content that matters.
Another useful tool is the GBA Standard Contract, which is designed to streamline compliance arrangement in respect of data flow between Mainland China and Hong Kong. It promotes the growth of Hong Kong as an innovation hub and enhances the integration of the Greater Bay Area as part of the national economy, while ensuring the protection of personal data. More importantly, it can lower the cost of complying with transfer arrangements and improve efficiency. This will benefit business of all sizes and sectors in the region.
