Regulation of Cross-Border Data Transfers in Hong Kong
Written by
Hong Kong first embarked on modern data privacy laws in 1995, and one of their hallmark features was regulation of cross-border data transfers. This was manifested through section 33 of the Personal Data Protection Ordinance (“PDPO”). This provision forbids any transfer of personal data outside Hong Kong unless certain conditions are fulfilled.
These conditions aim to ensure that data transferred overseas receives protection comparable to what’s provided under PDPO, and impose obligations on data users to take steps towards this end – most commonly entering into standard contractual clauses with data importers.
At the time of initial collection, data subjects must be clearly informed of its intended uses and possible recipients; explicit consent should also be sought from these recipients prior to collecting their personal data.
While these requirements are intended to protect data privacy, there is the potential risk that they will significantly disrupt business operations and increase compliance costs. For example, this could necessitate training a larger pool of employees on how to meet these obligations, potentially leading to decreased quality in work performed.
However, the PCPD has actively communicated with business communities to explain why these requirements are necessary and in light of increased cross-border data flows. Furthermore, they reviewed and revised global regulatory frameworks pertaining to data transfer where necessary and advocated changes where needed.
As more businesses operate globally, compliance with international data transfer requirements will become ever more crucial. Key to meeting this challenge is understanding how the provisions of the PDPO and other international laws impact each other and will be enforced across different jurisdictions. Companies need to understand what regulations affect them and determine what supplementary steps may need to be taken, in order to minimize any negative repercussions and identify what supplementary steps, if any, they need to take in response. Here, Padraig Walsh from Tanner De Witt’s Data Privacy practice group comes in: he details key considerations when handling data transfers out or into Hong Kong; check out more of his blogs here.