Data Transfers in Hong Kong
Padraig Walsh from Tanner De Witt discusses the main points to note when considering data transfers between organisations. These include determining whether or not the data is personal data, the extent of a data user’s territorial jurisdiction and a key interpretation of first principles under Hong Kong law.
Data is the cornerstone of most digital businesses. To make the most of it, organizations must implement a robust data governance framework that addresses all aspects of the information lifecycle, from collection to disposal. Despite its many benefits, the proliferation of data can lead to confusion about what information an organization actually needs. A strong data governance framework will address these concerns by clearly identifying the purposes for which data is collected and used.
In the context of data transfer, the term “personal data” refers to any information relating to an identifiable natural person, including any expression of that person’s identity (such as name, identification number, location data, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person). The PCPD has also defined what is meant by the phrase “processing”. This includes any activity that transforms the personal data into a form in which it can be processed; for example, aggregation, anonymization, or profiling.
A data transfer is only permitted under the PDPO if it is necessary for the purpose for which it was collected; and if the transferred personal data meets certain safeguards. This includes ensuring that the data exporter does not allow the data processor to use or disclose the transferred personal data for any purpose other than those agreed with the transferring data user; that the transfer is subject to appropriate technical and organizational measures in order to protect the data; and that the data importer undertakes not to store, process or further transfer the personal data outside of those countries or territories in which it has its facilities or where it is otherwise required by applicable law.
In addition, the transferring data user must notify the data subject of any intention to transfer his or her personal data abroad and the classes of persons to whom the personal data may be transferred. The notification must be given on or before the original collection of the personal data. The transferring data user must also inform the data subject of any rights to rectify, block or erase the personal data transferred. Further, the transferring data user must not permit any sub-processor to further transfer or process the personal data abroad. Finally, the transferring data user must keep proper records of its contractual arrangements with the data importer and all efforts it has taken to fulfil its obligations for cross-border transfers. This will help to demonstrate compliance with the PDPO in the event of an investigation. Moreover, the transferring data user must take steps to bring up to date its privacy policies and procedures to reflect the requirements of the PDPO for cross-border transfers.