Data subject to personal identification includes any information which can be linked back to an identifiable individual. This data can then be used to track their movements, finances and health for tailoring advertising or service delivery accordingly. While many services provided through data gathering are beneficial, their use can pose significant threats to personal privacy if misused – this is particularly pertinent when considering data transfers between countries; Padraig Walsh from Tanner De Witt’s Data Privacy Practice Group will discuss important considerations when moving data across borders.
Data transfers between entities that collect, hold, process or use personal data in Hong Kong are subject to various statutory obligations under the Personal Data (Privacy) Ordinance (“PDPO”). The PDPO includes data protection obligations on data controllers that comply with six core privacy principles as well as restrictions on overseas transfers that must be disclosed to individuals affected by such transfers.
PDPO does not specifically apply extraterritorially and does not confer “adequacy” or equivalent regime status upon any foreign jurisdiction, meaning that when Hong Kong data users want to transfer personal data abroad without an adequate or equivalent regime in place, data exporters must conduct an “impact analysis”.
An impact evaluation must be completed if a data user transferring personal information believes the laws and practices in a foreign jurisdiction do not meet the standards outlined by PDPO. A transfer impact analysis, however, is not mandatory if this foreign jurisdiction poses no significant threat to individual’s personal privacy.
The PCPD has issued two sets of recommended model contractual clauses designed to address various scenarios where data transfer must be considered under PDPO, such as between entities controlled by Hong Kong data users and third-party control, or between an entity belonging to one business group and those belonging to a different one.