If your business transfers personal data across Hong Kong or to other locations, you will need to comply with a wide range of statutory obligations and best practice standards. These include the six key DPPs that are core to data privacy regulation in Hong Kong. In this article, Padraig Walsh from the Data Privacy practice group at Tanner De Witt guides you through some of the main points to consider when addressing this type of commercial transaction.
The first step is to consider whether or not the transfer involves the collection of personal data. This is an important consideration because if the transfer is not a collection, then it will not trigger any obligation to provide a PICS or to carry out a transfer impact assessment. If, however, the transferring business is collecting personal data and then transferring it, then it will be required to review its PICS to ensure that it has lawful bases for doing so. It will also need to verify that it has not transferred the personal data for a purpose which is a new use and therefore requires the voluntary and express consent of the data subject.
Once the PICS has been reviewed, the data exporter will need to conduct a transfer impact assessment. The assessment must take into account the laws of the destination jurisdiction as well as the adequacy of protection offered by those laws. It will also need to consider whether the transferring business has taken all necessary steps to protect the personal data and, where that is not sufficient, to implement adequate supplementary measures.
One area of concern in this context is that the definition of personal data under the PDPO has not been updated since it was enacted in 1996. This contrasts with the definition of personal data under other legislation (for example, the GDPR that applies in the European Economic Area) which has been updated to reflect modern notions of what constitutes an identifiable person.
It is also worth remembering that, if the transferring business offers goods or services to data subjects in the EEA or monitors the behaviour of data subjects within the EEA, it may be subject to the GDPR and therefore must consider complying with its transfer impact assessment requirements. This is an area of potential confusion for businesses that operate cross-border data transfers and should be discussed with a privacy lawyer as part of the planning process.