When a business transfers personal data across international borders, the transfer is subject to data privacy regulation in both locations. Padraig Walsh from the Tanner De Witt data privacy practice group guides you through what to consider and how to comply with data transfers.
First, a person must decide whether he is a data user. A data user has obligations under the PDPO, and one of those is to give information to data subjects on or before collecting their personal data, and this includes a description of the purpose and intended use.
Generally, the information must be clear and concise. In the case of data transfers, it must also include the classes of persons to whom personal data may be transferred. The data user must also provide them with the contact details of someone to whom they can request access to their personal data.
Another consideration is whether the transferring business has an obligation to conduct a transfer impact assessment in relation to the data. This involves assessing the level of protection afforded to personal data in the destination jurisdiction, and considering what supplementary measures might be necessary to bring that protection up to Hong Kong standards. Such measures could include technical measures such as encryption or pseudonymisation, or contractual provisions on audit and reporting, beach notification, compliance support and co-operation.
In addition, the importing business should also assess whether it is a data importer of personal data from the European Union, and, if so, agree to the standard contractual clauses or contribute to a transfer impact assessment. A business is a data importer of personal data if it offers goods or services to, or monitors the behaviour of, data subjects in the European Economic Area (EEA), or if it processes the personal data of EEA citizens as part of its activities.
The importing business should also identify and adopt any supplementary measures necessary to ensure that the level of protection afforded by the transferring data meets Hong Kong standards. This is particularly relevant if the transferring business’s assessment shows that the importing jurisdiction’s laws and practices do not reflect the four essential guarantees of data privacy under the PDPO.
Finally, it is worth remembering that there are a range of statutory obligations that apply to data users, and transferring personal data will trigger them. While resistance to section 33 from the business community has been significant, it appears unlikely that it will be implemented any time soon. In the meantime, businesses should remain mindful of the obligations that exist, as well as best practice and ethical standards in their governance of personal data. This will help to reduce the risk of regulatory investigation and enforcement action. It will also help them to minimise the costs and disruption associated with compliance.