TD SYNNEX – Cross-Border Data Transfers and Enforcement

TD SYNNEX (Hong Kong) Limited (data hk) is an international IT distribution and solutions aggregator, connecting compelling IT products, services and solutions from more than 1,500 leading technology vendors worldwide. Their 23,500 co-workers are committed to helping customers around the world maximize the value of their technology investments, demonstrate business outcomes and discover growth opportunities.

While most of the core requirements under Hong Kong data privacy law relate to data processing within Hong Kong, there are also significant provisions and obligations that are triggered when businesses transfer personal information across borders. In this article, Padraig Walsh of the Data Privacy practice group at Tanner De Witt takes a look at key points to consider with respect to cross-border data transfers and their enforcement.

Firstly, the jurisdictional scope of data hk

Many jurisdictions have laws that include some element of extra-territorial application. However, Hong Kong’s PDPO does not contain any express provisions conferring extra-territorial application. It applies to any organisation that controls all or part of its data processing cycle in, or from, Hong Kong. It is therefore necessary to consider the definition of “personal data” (DPP 1(a)) to determine whether a particular undertaking falls within its scope.

The requirement for a data user to disclose the purpose and collection of personal information to data subjects (DPP 2(b)) includes an obligation to inform data subjects that their personal data may be transferred abroad, the classes of persons to whom it will be transferred and the underlying grounds. These obligations are generally fulfilled by including the required details in a Personal Information Collection Statement. However, it is good practice for a data user to also notify data subjects of these transfer arrangements by any other means that is appropriate in the circumstances.

Another common obligation is to undertake a transfer impact assessment (“TIA”) before transferring personal data abroad. This is an obligation that a data exporter has in most cases where the processing of personal data involves a consideration of whether the level of protection afforded to the data and corresponding data subjects by the destination jurisdiction is adequate (DPP 6(b)).

It should be noted that even though TIEA is not mandatory under Hong Kong law, it is a requirement for EEA data exporters who wish to transfer personal data to a business located in a territory outside of the EEA. Similarly, it is becoming increasingly common for Hong Kong data importers to be required to engage in TIEA procedures where the importing business is an EEA data exporter and is subject to GDPR.

The PCPD has published guidance on the implementation of section 33 with recommended model clauses to be included in contracts dealing with data transfer, with a view to encouraging voluntary compliance. In the face of increasing cross-border data flow and greater economic integration with mainland China under the one country, two systems principle, it is likely that there will be increased focus on the enforcement of this provision in the future.