Cross-border transfers of data
Gupinder Assi, Counsel; and Kristi Swartz, Managing Partner, Hong Kong; Bryan Cave, look at due diligence measures organisations in Hong Kong should consider ahead of the implementation of Section 33 of the Personal Data (Privacy) Ordinance which imposes restrictions on the transfer of personal data outside of Hong Kong.
The use, disclosure and transfer of personal data is a hot topic globally. Laws in various jurisdictions have been put in place to protect information relating to individuals. Such laws include prohibitions of the transfer of information to jurisdictions that may not have similar provisions relating to the protection of personal data and which may therefore permit individual’s fundamental rights with respect to privacy to be infringed. However, it is also important in the global economy to be able to balance such requirements with the need to be able to transfer personal data across borders in connection with the organisation of businesses; the entering into of contracts and other commercial transactions.
The Personal Data (Privacy) Ordinance
In Hong Kong the regulation of the use, disclosure and transfer of personal information is set out in the Personal Data (Privacy) Ordinance (Cap 486) (PDPO) which was enacted in 1995. The PDPO contains a definition of personal data which in summary refers to any information relating to a living individual, other than anonymised data, in whatever form, whether it be employment records, medical records, biometric information or HKID cards.
The PDPO contains a number of data protection principles setting out the manner in which personal data can be used, including the use and transfer of personal data. In particular the PDPO requires that the personal data of individuals be collected lawfully and fairly and for a lawful purpose directly related to a function or activity of the user of such data.
Data users must also ensure that personal data is accurate and that it is not retained for a period longer than is necessary for the purposes for which it was originally collected. Other obligations include ensuring that personal data are protected against unauthorised or accidental access, processing, erasure, loss or use.
Section 33 – prohibition of cross-border transfers
The PDPO also contains Section 33 which refers to the prohibition of the transfer of personal data to places outside of Hong Kong unless certain conditions are complied with or an exemption applies. However, Section 33 has not yet come into effect and there is still no indication as to when it will come into force. When Section 33 finally comes into force, it will have an impact on the operations of organisations that transfer personal data outside of Hong Kong. Some examples may include:
• engaging third-party service providers located outside of Hong Kong to process personal data, such as call centres
• transferring customer’s personal data to contractors situated outside of Hong Kong to perform marketing activities
• sharing of personal data with international offices through the use of a centralised database; such as employee data, or customer data, and
• Storing personal data in the cloud if the cloud server is accessible outside of Hong Kong.
Furthermore, the obligations under Section 33 will rest with the data user, the organisation that controls the entire personal data process. Third-party data processors who merely hold, process or use personal data on behalf of, and upon the instructions of the data user, will not be liable under Section 33 of the PDPO and therefore data users will need to ensure that the transfer of personal data to any third-party data processors located outside of Hong Kong meet the provisions of Section 33 when they come into force, either by including specific contractual provisions in their agreements with third parties or otherwise.
Privacy Commissioner’s guidance
As a result of a number of recent cases of serious identity theft and data breaches, concerns have been raised over privacy and identity fraud. In particular, in 2010 the cashless payment company Octopus was discovered to have sold customer information to its business partners earning them HK$44 million and in 2015 VTech, a Hong Kong-based children’s technology maker was hacked, exposing data of five million customers. These breaches have made personal data security a priority topic.
As a result of these recent cases, as well as a rise in the number of complaints about breaches of privacy (an increase of 7% between 2014 and 2015) and an increase in awareness about data protection, the Privacy Commissioner is taking a stricter approach to the protection of personal data. This is also demonstrated by the fact that there were six prosecutions in 2015 compared with only one in 2014.
The Privacy Commissioner has also been more active in issuing a number of guidelines to assist organisations in complying with their obligations under the PDPO. In particular, the Privacy Commissioner issued a practical guide – Guidance on Personal Data Protection in Cross-Border Data Transfer – which sets out the measures that organisations are encouraged to follow in relation to cross-border transfers of personal data. These measures are based on the provisions set out in Section 33 and are aimed at preparing organisations for its implementation.
These measures can be summarised as follows.
The White List
Data users can transfer personal data to countries included on a ‘White List’. The Privacy Commissioner has assessed 50 jurisdictions for inclusion on the list, but this is yet to be published or Gazetted. When finalised, the White List is intended to be a working document that is regularly re-evaluated and updated to stay current with any law changes in different jurisdictions.
The transfer of personal data is permitted to countries which have ‘any law which is substantially similar to, or serves the same purposes as’ the PDPO. This is intended to address jurisdictions which have not been assessed by the PCPD.
Personal data can be transferred outside of Hong Kong if the individual whose data is being transferred has expressly and voluntarily consented in writing and such consent has not been withdrawn.
Avoidance or mitigation of adverse action
Data users can transfer personal data outside of Hong Kong if they have reasonable grounds to believe that the transfer is necessary for the avoidance or mitigation of adverse action against an individual that the data relates to, but it is not practicable to obtain the consent of such individual beforehand. The Privacy Commissioner’s guidance states that this exemption will be of narrow application.
Part VIII exemptions
Personal data can be transferred outside of Hong Kong if an exemption applies, which are for:
• domestic purposes
• the provision or detection of a crime
• health purposes
• Hong Kong legal proceedings
• purposes of a news publication
• statistics and research, and
• in the event of an emergency.
Reasonable precautions and due diligence
Data users can transfer personal data outside of Hong Kong if they can show that the personal data concerned will be given the equivalent protection to that provided for by the PDPO. Such protections can be contained in a contract and to assist data users to satisfy this requirement the Privacy Commissioner has prepared a set of model data transfer clauses which can be used and adapted by data users to develop an enforceable contract for their cross-border transfers. Alternatively, data users may also adopt non-contractual means to satisfy this condition, such as intercompany binding corporate rules, or internal policies.
These measures are intended to allow the transfer of personal data to territories outside of Hong Kong whilst continuing to protect the rights of individuals who are the subject of the personal data and to ensure that their personal data continues to be protected when it is transferred to territories that are not subject to the PDPO. Whilst for guidance only, these follow similar principles that are embodied in other global data protection laws, such as the European General Data Protection Regulation that is due to come into force this year. Therefore organisations in Hong Kong which also have affiliates in different jurisdictions and which receive, as well as transfer, personal data to their affiliated companies would be well advised to adopt such provisions in order to be consistent with international standards on cross-border data protection.
Gupinder Assi, Counsel, and Kristi Swartz, Managing Partner, Hong Kong
The authors can be contacted by email at: kristi.swartz@BryanCave.com.
The Privacy Commissioner’s ‘Guidance on Personal Data Protection in Cross-border Data Transfer’ is available on the PCPD website: www.pcpd.org.hk.