The Implications of Section 33 of the PDPO on Cross-Border Data Flows

A key component of Hong Kong’s modern data privacy laws is section 33 which prohibits the transfer of personal information out of Hong Kong unless certain conditions are fulfilled. This article by Padraig Walsh, Partner at Tanner De Witt, explores the implications of this provision on cross-border data flows and why businesses need to pay attention to it.

The PDPO defines ‘personal data’ as information that relates to an identifiable individual and includes such information as the person’s name, address, telephone number, email address, occupation or other similar personal details. As such, it encompasses a wide range of personal information that would be considered sensitive under many other jurisdictions and which would typically require explicit consent to use.

Under current law, businesses are required to conduct a transfer impact assessment before exporting personal data outside Hong Kong. A number of factors will determine whether a business needs to complete a transfer impact assessment including the type and purpose of data being transferred, the destination country’s laws and practices and the adequacy or level of protection provided by those laws and practices.

While the PCPD has been keen to bring this requirement into effect since its inception, the resistance from the business community has been considerable. Businesses have generally argued that the cost of compliance outweighs any perceived benefits and they also see no evidence that cross-border data flow undermines privacy in the Hong Kong context.

In response to these concerns, the PCPD has reviewed the global regulatory framework and communicated with the government on ways forward which best suit Hong Kong’s local circumstances. As a result, there has been a move away from imposing a strict interpretation of the requirement to comply with transfer impact assessments, particularly for businesses that export data to jurisdictions which have implemented GDPR.

There are, however, a growing number of circumstances in which a transfer impact assessment will be necessary for a Hong Kong business including, for example, when agreeing to standard contractual clauses proposed by an EEA data exporter. In these cases, the data importer is required to undertake a transfer impact assessment to identify and adopt supplementary measures that are sufficient to bring the law of the destination jurisdiction into line with Hong Kong standards.

In many instances, this may involve technical measures such as the application of encryption or pseudonymisation, or split processing or multi-party processing. It might also include additional contractual provisions relating to audit, inspection and reporting, beach notification and compliance support and co-operation. In other cases, it may be a case of making sure the recipient understands that data subject rights, such as the right to be informed and the right to object, are recognised in the destination jurisdiction. This may mean including language in contracts that explicitly references the PDPO. It might even involve providing a legal opinion from the data exporter that their laws and practices provide an adequate level of protection for personal data. This will ensure that the transfer is not deemed to be contrary to the PDPO.