As globalization drives businesses closer together with society, the global flow of personal data continues to expand exponentially. Businesses require efficient ways of exchanging this information both internally and between Hong Kong and other locations worldwide; yet this increased volume presents businesses with a challenge when complying with laws regarding cross-border data transfers. Padraig Walsh of Tanner De Witt provides some insight into this complex legal environment while outlining some considerations regarding cross-border data transfers.
Padraig Walsh, Partner, Tanner De Witt When contemplating the transfer of personal data between parties, one of the first considerations should be whether that information falls under the purview/territorial jurisdiction of Hong Kong’s Privacy Commissioner for Personal Data (“PCPD”). To assess this, consider who controls or holds this personal data: any person with authority over its collection, use, processing or storage (DPP1 through DPP4) may fall within its reach and enforcement power of PCPD enforcement actions will take place against those individuals responsible.
As data users are defined as data controllers under PDPO, their legal obligations regarding the collection and use of personal data extend across borders – such as informing data subjects before their initial collection as to its purposes and transferee classes (DPP1-DPP4).
Additionally, the PDPO requires data users to obtain voluntary and express consent before using a data subject’s personal data for any new purpose (DPP5). While this requirement is somewhat onerous in comparison with GDPR’s requirements, it remains consistent with law that regards transfer as data use.
Once a decision has been made to transfer personal data, it is critical for data users to put in place adequate contracts to protect both their own rights as well as those of data subjects involved in this transfer (DPP8). These contractual arrangements could take various forms; from standalone agreements or addenda to main commercial contracts.
Final consideration is that when an importer accepts standard contractual clauses offered by an EEA data exporter pursuant to GDPR, he/she must agree to submit themselves to and cooperate with any proceedings concerning the enforceability of those clauses (DPP9). Although this will often not be necessary when transferring personal data between locations that don’t possess adequate adequacy regimes or that have yet to join EU’s ePrivacy Shield program.