When Hong Kong first adopted modern data privacy laws in 1995, section 33 was intended to regulate the transfer of personal information outside the territory. As increasing cross-border business flows became a feature of daily life in Hong Kong, however, the implementation of this provision was slowed by resistance from the business community. This has continued over the years, with many businesses taking the view that the impact of such a restriction on their operations would outweigh any potential benefits in terms of protecting personal data privacy.
With this in mind, it now looks likely that the statutory restrictions set out in section 33 will never come into effect. Instead, the PCPD has signalled that there will be a shift in approach to regulation of international data transfers, with emphasis being placed on promoting efficient compliance.
One of the key points to consider in this respect is whether a particular activity really involves the transfer of personal data, or not. In broad terms, personal data is defined in the PDPO to refer to any information that identifies an individual, or can be used to identify them, even when they are not directly identifiable from that data. The key questions are therefore whether the activity in question involves a transfer of personal data, and, if so, whether the purpose for which that personal data is collected and processed is lawful.
An example of where the collection and processing of personal data may be lawful is a photograph taken at an event of a crowd of people attending a concert, provided that the photo is not used to identify any individuals in it (the principle of “no identification required”). Other examples include CCTV recordings, logs of persons entering car parks and records of meetings that do not identify individual speakers or participants.
The next step is to determine whether any statutory obligations apply. The most significant is the obligation on a data user to comply with the six core data protection principles (“DPPs”). This includes DPP1 (Purpose and collection of personal data) and DPP3 (Use of personal data). In relation to DPP3, the relevant requirement is that a data user discloses the purposes for which it collects the personal data, the classes of person to whom that personal data may be transferred, and any other third party to whom it might disclose that personal data. This requirement is generally fulfilled by providing a PICS to data subjects before collecting their personal data.
Other data transfer-related obligations could also arise, such as the obligation on a Hong Kong business to agree standard contractual clauses in circumstances where it transfers the personal data of EEA persons to an EEA country; and the requirement to contribute to an adverse transfer impact assessment in circumstances where it transfers the personal data of an EEA person to an EEA country. Those requirements are generally fulfilled by incorporating data transfer provisions into contractual arrangements with data users and processors, whether in separate contracts or schedules to the main commercial agreement.