Hong Kong is a prime location for global businesses to operate regional or headquarters and to serve their clients in mainland China and beyond. This translates into great demand for secure data centres that are trusted to protect and store the personal information of those customers.

However, it is important for those importing personal data from overseas to be aware that there are specific requirements in relation to cross-border transfer and that it is not as simple as signing a contract with the destination entity. Hong Kong law imposes an obligation to fulfil a range of statutory obligations when collecting, holding and using personal data and the failure to do so may result in penalties or compensation claims under local laws.

Data hk explains the complexities and legal implications of international transfers of personal data. The article addresses the need for a lawful basis to be in place prior to transferring personal data; the obligation to inform individuals of transfers and the requirement to provide an option to opt out; and the obligation to carry out a transfer impact assessment and, where necessary, implement supplementary measures. The need to comply with the PDPO and supplementary provisions will continue to grow with further integration of business and social life between Hong Kong and mainland China under the “one country, two systems” principle.

Under the PDPO, personal data is information that can be directly linked back to an individual and includes name; identification number; location data; and factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of an identifiable natural person. The PDPO requires data users to make full, clear and informed disclosures to individuals about the purpose for which they collect personal data including what will be done with that data and to obtain consent to any further use of such personal data. The PDPO also prohibits the transfer of personal data overseas without adequate protections in place.

The PCPD has published two sets of recommended model contractual clauses to aid data transfers, one of which focuses upon transfers between entities within Hong Kong and the other on transfers between entities outside Hong Kong. The PCPD’s supplemental guidance indicates that, in circumstances where the transfer impact assessment reveals that legislation or practices in the destination jurisdiction do not meet the standards required under the PDPO, the data exporter must either suspend the transfer or implement supplementary measures. Supplementary measures can include technical steps such as encryption or pseudonymisation, separation of data processing and multi-party processing and contractual provisions relating to audit, inspection and reporting, beach notification and compliance support and co-operation.

The other set of recommended model contractual clauses covers a scenario where a Hong Kong data importer receives personal data from a EEA data exporter and is subject to an EU adequacy decision. It will be mandatory for the data importer to agree to these clauses in order to avoid a penalty and it is likely that other supplementary measures will be required.