Data Transfers From Hong Kong to Other Locations

July 29, 2024 first-eidsvold Gambling Blog

data hk

Data transfers are an everyday part of business, yet can also present significant regulatory risk to many organisations. Here, Padraig Walsh from our Data Privacy practice group explores key points when transferring personal data between Hong Kong and other locations or back into Hong Kong from abroad.

At first, it’s important to bear in mind that data transfer is not an independent legal activity – rather, it represents one form of data use and as such triggers various core compliance obligations under the PDPO, such as providing a PICS, assuring only collecting personal information with voluntary and express consent, and taking additional measures (DPP 5).

An extra-legal measure that data exporters must take if their transfer impact assessment identifies that laws or practices in another jurisdiction do not meet standards set by PDPO is known as supplementary measures. It may include technical solutions like encryption, anonymisation and pseudonymisation as well as contractual provisions such as audit inspection reporting beach notification support co-operation etc.

If a data importer does not take appropriate supplementary measures, the PDPO requires that its exporter suspend any transfer of personal data until an appropriate safeguards solution has been put into place. Furthermore, failing which, the PCPD is entitled to demand that steps are taken either to rectify any deficiencies in implementation of standard contractual clauses or launch an investigation into this matter.

Contrary to many other data privacy regimes, the PDPO does not contain explicit provisions providing extra-territorial application. Instead, its provisions only apply when dealing with data collected from identifiable natural persons whose collection is authorized by law.

This position stands in stark contrast to a growing trend among other jurisdictions – such as Europe – to adopt more expansive approaches, including their Adequacy Model. It will be interesting to observe whether cross-border data flow and increased integration with mainland China under “one country, two systems” drive any change here.