Aside from promoting data flows and exploring digital infrastructure, the Hong Kong government will also hasten digital transformation, foster digital talent and accelerate the transformation of scientific research results. To achieve this, it is essential to cultivate homegrown professionals proficient in analyzing data and conducting regulatory supervision.
As the leading international centre for business and financial services, Hong Kong must not lose its competitive edge. To this end, the iBDG will support the efforts of the HKSAR government in enhancing its expertise and promoting best practices in regulating the use of personal data. Moreover, it will continue to advocate the need for a comprehensive data ethics framework, aiming to elevate the role of the Hong Kong economy as a global leader in this area.
Generally speaking, data protection law in Hong Kong does not contain a statutory restriction on the transfer of personal data outside Hong Kong. Nevertheless, there is extensive guidance on the fulfilment of core data protection obligations in respect of cross-border transfers of personal data. This guidance includes recommended model contractual clauses which may be included in separate agreements, schedules to commercial arrangements or as contractual provisions within the main commercial agreement.
The first set of recommended model contractual clauses relates to transfers of personal data between two entities that control the same data. This is the scenario that most frequently arises in practice. The second set of model contractual clauses relates to transfers of data from a Hong Kong entity to another entity outside Hong Kong, or between entities both of which are outside Hong Kong and controlled by the same data user.
It is important to understand that data users have significant and onerous obligations in respect of personal data transfers that they make, regardless of the location of the recipients. In particular, they must comply with the six DPPs that form the core data privacy obligations in Hong Kong. In addition, they must expressly inform data subjects on or before the original collection of their personal data of the purposes for which those data are collected and the classes of persons to whom the data will be transferred.
It is also important to note that if the assessment reveals that a foreign jurisdiction’s laws or practices do not meet Hong Kong standards, the data exporter must identify and adopt supplementary measures to bring those levels up to the requirements of the PDPO. This might involve technical measures such as encryption, anonymisation or pseudonymisation, or contractual provisions covering audit, inspection and reporting, beach notification and compliance support and co-operation. The supplementary measures must be adequate and not excessive for the agreed processing purposes. They must also be feasible and cost-effective. In other words, they must not impose an unreasonable burden on the data exporter. In addition, the supplementary measures must be enforceable. This is a key principle that underpins the PDPO’s restrictions on cross-border transfers of personal data.