Hong Kong could suffer irreparable harm from the recent data hack, according to experts. Some investors may start questioning its ability to provide adequate IT security experts or take data privacy seriously, they suggest. Furthermore, this undermines Hong Kong’s goal of joining Beijing’s Greater Bay Area plan that envisions unifying Hong Kong, Macau and nine mainland Chinese cities into one high-tech economic powerhouse.
As part of their effort to become a data hub, jurisdictions must enable free data flow across borders. While this can facilitate international trade, any problems with privacy regulation could impede this goal and cause issues when personal data transfer happens across jurisdictions. It’s therefore essential that one understands how privacy regulators deal with personal data transfers between jurisdictions – this article by Padraig Walsh from Tanner De Witt walks you through some key considerations when sending overseas.
Initial steps must involve determining whether the data falls under local privacy laws. This can be challenging since there is no strict legal definition of what counts as “personal data”, however generally speaking this refers to information which identifies individuals.
Consider whether the transfer is necessary for legal purposes. This test depends on the intention of those acquiring data; if their aim is not illegal, there should be no issues; but if the intention is to send personal data elsewhere without the subject’s knowledge and consent, its legality will depend on their decision.
Thirdly, consider whether the data will be processed in such a way that is likely to cause harm to individuals. This includes not only any breach of PDPO but also processing that could lead to discrimination, injury or reputational harm. While such considerations might not come up during data transfer processes, they should still be remembered.
Fourthly, if data transfer is not necessary for legal purposes, then its user must comply with a number of statutory obligations, including six core PDPO principles. One requirement of the data user in such instances is informing data subjects on or prior to collecting their personal data of its intended uses as well as classes of persons to which the data may be disclosed; since data transfers constitute forms of use this step is more onerous than in many other jurisdictions.
Under GDPR, data users who agree to standard contractual clauses proposed by an EEA data exporter under GDPR must also agree to submit to and cooperate with its supervisory authority in any proceedings that aim at assuring compliance with such clauses. While this step won’t trigger itself during any transfer transaction, it should still be kept in mind when entering into contracts dealing with personal data transfers.