Personal Data Protection in Cross-Border Data Transfer

Scott Thiel, Partner, and Louise Crawford, Legal Officer, DLA Piper Hong Kong

Although the restrictions for transfer of personal data outside of Hong Kong set out in s.33 of the Personal Data (Privacy) Ordinance (the “Ordinance”) are currently not yet in force, the Hong Kong Privacy Commissioner for Personal Data (“PCPD”) published on 29 December 2014 a Guidance on Personal Data Protection in Cross-border Data Transfer (the “Guidance”) which aims to assist data users in understanding their compliance obligations for cross-border data transfer once s.33 comes into effect. DLA Piper Hong Kong has contributed to the drafting and preparation of the Guidance and the recommended data transfer clauses contained therein.

There are six exceptions to the cross-border data transfer restrictions set out in s.33(2) of the Ordinance and a data user is required to satisfy any one of them if the data user wishes to transfer personal data outside of Hong Kong. Key points given in relation to some of the exceptions in the Guidance include:

  • The first exception provides that cross-border transfer is permissible if personal data is to be transferred to any one of the jurisdictions specified by the PCPD in the White List. However, the jurisdictions to be included in the White List have not yet been revealed in the Guidance.
  • Obtaining data subjects’ express and voluntary consent in writing to the cross-border transfer is also one of the exceptions set out in s.33(2) and this is regarded as a more onerous consent requirement on the part of data users.
  • One of the exceptions to cross-border transfer restrictions is that the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the place outside Hong Kong, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. The PCPD has suggested that adopting enforceable contractual means between the parties to the transfer may satisfy such diligence requirement. The PCPD has therefore prepared a set of recommended model data transfer clauses to assist data users to develop enforceable data transfer agreements.

We recommend that data users start reviewing their data collection and transfer practices to ensure these are aligned with the recommended practices set out in the Guidance. Some to-do actions include:

  • Reviewing and updating your Personal Information Collection Statements;
  • Reviewing and updating your cross-border personal data transfer arrangements; and
  • Developing group-wide policies for cross-border intra-group data transfer.