Taking a step closer to following the EU restrictions on overseas data transfers, the Hong Kong Office of the Privacy Commissioner for Personal Data recently issued “Guidance on Personal Data Protection in Cross-Border Data Transfer." While the guidance doesn't impose any new limitations or obligations on personal data transfers out of Hong Kong, it appears to be a harbinger of transfer restrictions coming into force in the near future. For companies doing business in Hong Kong, the guidance encourages adoption of specified practices as part of their corporate governance responsibility to protect personal data.
Intention To Implement Cross-Border Transfer Restriction
Hong Kong's data protection law, the Personal Data (Privacy) Ordinance, has always included a provision that regulates the export of personal data from Hong Kong (Section 33). That provision, however, has never been brought into force since the law’s enactment in 1995. As a result, many privacy advocates view the current protection in Hong Kong for personal data transferred overseas as weak and far from comprehensive.
Prior to the guidance, the Hong Kong privacy commissioner took the position that organizations should voluntarily comply with Section 33 as best practice. But the guidance signals an intention to implement the data transfer restriction and gives practical advice to organizations on how to prepare for Section 33 coming into force.
Transfers Subject to Section 33?
The guidance clarifies that Section 33 covers two situations: offshore transfers from Hong Kong and transfers of personal data between two overseas locations that are controlled by a Hong Kong data user.
Because the ordinance does not define “transfer,” the guidance provides concrete examples of what constitutes a transfer under the ordinance, including storage of employee data in a centralized database to which group companies located overseas may have remote access, as well as the use of a cloud server if the server is accessible outside of Hong Kong.
The guidance specifically states that Section 33 will not apply to the transmission of emails between a Hong Kong sender and receiver where, due to Internet routing, the data is sent via a server or equipment situated outside of Hong Kong.
Section 33 Restrictions
The general rule under Section 33 is that transfers of personal data to places outside Hong Kong are prohibited unless one or more specified conditions are met. Satisfying any one of the conditions below will achieve compliance with Section 33, although organizations are recommended to adopt multiple measures to strengthen protection of the data. The guidance reviews and elaborates on these conditions.
Overcoming the Restrictions
- White list and independent assessments
Data transfers to overseas jurisdictions listed on the privacy commissioner’s approved "White List" of countries, which will be specified by notice in the Gazette by the privacy commissioner, will be permitted. Transfers to countries not listed may still be allowed where the country has a law “substantially similar to, or serves the same purposes as,” the ordinance.
In practice, an organization relying on the “substantially similar” language will have to undertake a professional assessment of the data protection regime of the intended recipient country to establish if equivalent provisions are in force. Consultation with professionals and legal advisers will be required, and evidence to support the evaluation, such as the legal advice relied upon, will need to be retained in case the assessment is challenged. Given the resources that an independent assessment of a country’s data protection regime may involve, it is likely that very few organizations will look to undertake this type of evaluation as their first choice to permit a data transfer under Section 33.
- Written consent
Obtaining the data subjects’ express written consent to the overseas transfer is another way to overcome the restrictions under Section 33. The guidance highlights, however, that the consent obtained must be informed consent, meaning that the data subjects must be notified of the purpose, location and consequences of the transfer, including that this may lower the standard of protection provided to their data.
- Avoidance or mitigation of adverse action against the data subject
Data can be transferred out under Section 33 if there are reasonable grounds to believe that the transfer is for the avoidance of adverse action of the data subject and if it is not possible to obtain the data subject’s written consent in advance of the transfer. The privacy commissioner notes that the condition should be narrowly construed and used, for instance, when the transfer is necessary to perform a contract with the data subject who may incur serious financial losses if the transfer is not made.
- Other exemptions
Transfers that are made for one of the exemptions under Part VIII of the Personal Data (Privacy) Ordinance including for domestic purposes; crime; legal proceedings; news; statistics and research, and emergency situations are similarly permitted.
For attorneys, it is critical that for the legal proceedings exception to apply, the legal claim or defense of legal rights must be in Hong Kong. This is in contrast to the EU Directive, where the legal exception can apply for legal defenses and claims outside of the EU. The exemption for the purposes of crime similarly must have a Hong Kong connection, since crime refers to an offense under Hong Kong law, and would only apply to an offence of an overseas jurisdiction where there is legal cooperation between the Hong Kong authorities and the overseas authorities regarding the activity under investigation.
- Contractual safeguards or auditing
Finally, organizations can rely on the condition that they have taken all reasonable precautions and exercised all due diligence to ensure the data will not be handled in a way that breaches the ordinance as a result of the transfer. The guidance states that having an enforceable contract with the overseas recipient will satisfy this condition and provides a set of model data transfer clauses to incorporate into such a contract. As an alternative, organizations can also use noncontractual monitoring and auditing of the overseas recipient’s data-handling procedures to fulfill this condition.
Organizations operating in Hong Kong are now on notice of the intention to bring into force the overseas transfer restriction under the ordinance. In anticipation of this change, it is advisable for companies doing business in Hong Kong to review current overseas transfer arrangements, the scope of data subjects’ consents, and existing data transfer agreements so that they are already in compliance when Section 33 takes effect.