Navigating the legal and technical complexities associated with cross-border data flows is no simple task. While facilitating data transfer between Hong Kong and mainland China may bring economic advantages, there may still be concerns regarding its effect on business operations as well as compliance challenges that must be overcome in order to effectively meet compliance regulations. Furthermore, growing concerns exist that free flow undermines individual’s privacy rights and requires appropriate regulatory controls to maintain privacy protections.
PCPD recently issued guidance addressing various issues encountered when transferring personal data between Hong Kong and Mainland China, such as model clauses to be included in contracts governing transfers and conducting a transfer impact assessment prior to proceeding with any proposed transfers. While such assessments are not mandatory under Hong Kong law, conducting one is often an essential step taken by those wanting to ensure their data transfer complies with PDPO regulations.
As data flows between Hong Kong and Mainland China continue to increase, section 33 of the PDPO may become even more relevant. Under Hong Kong’s “one country, two systems” arrangement with China, we expect greater integration in business and social life between both places, including more harmonized levels of protection for personal data protection between them. This may prompt us to reconsider imposing legislative restrictions on data transfer; alternative means may need to be employed instead to ensure compliance with both national standards as well as those outlined by international bodies like ISO or GDP.
When considering whether data transfers are acceptable, it is essential to remember that the PDPO defines “personal data” as information that relates to an identifiable natural person – in line with international norms and similar to what other legislative regimes use such as China’s Personal Data Protection Law or EU General Data Protection Regulation.
Once collected, personal data items should not be distributed or used for purposes unannounced by their subjects, nor used beyond what was stipulated in a PICS. This is an essential obligation that data users must abide by.
An Impact Assessment isn’t required by PDPO, but in certain situations it can become necessary – most commonly when businesses apply to the Mainland for approval of specific data transfers. Tanner De Witt’s team of experts can conduct an in-depth assessment and advice you on the most suitable course of action; please get in touch if you would like us to assess your unique requirements and advise accordingly.