Publication of Guidance Note by Hong Kong's Privacy Commissioner is likely to be the first step in implementing a long awaited prohibition on cross-border personal data transfers.
20 years is a long time for any law to remain on the statute books without being implemented. That is how long s.33 of Hong Kong's Personal (Data) Privacy Ordinance ("PDPO") has been waiting for implementation. S.33 prohibits the cross-border transfer of personal data from Hong Kong unless certain exceptions apply or the data is transferred to countries where similar data protection laws are in place.
Whilst previously not implemented due to concerns about the possible effect on international commerce (particularly on-line) it appears that this may soon change. In late 2014, the Privacy Commissioner indicated to the Government that it should consider implementing the provision. The Privacy Commissioner has also recently issued a Guidance Note and model clauses for dealing with cross-border data transfers. This increased activity indicates that s.33, and more stringent restrictions on the transfer of personal data from Hong Kong, could soon be implemented.
S.33 prohibits the transfer of personal data to places outside Hong Kong unless one or more of a number of stringent conditions have been met. In summary, the conditions are as follows:
(1) White List: The transfer is to a place appearing on the Privacy Commissioner's 'White List' of countries which have data protection laws similar to those in Hong Kong. The Privacy Commissioner has indicated that it has approximately 50 countries on its 'White List' but the list has not yet been published. To date, it is interesting to note that other privacy regulators in Asia (e.g. Singapore, Malaysia) are yet to issue similar white lists;
(2) Similar Laws: The data user (i.e. the organisation responsible for the collection, processing and transfer of personal data) has reasonable grounds for believing that there are similar laws to those that operate in Hong Kong in relation to data privacy. The Privacy Commissioner has made it quite clear however, that a data users' subjective view on this point will not be sufficient. Only where detailed inquiries and professional assessment have been made will a data user be able to rely on this exception. Organisations are advised to keep written evidence of such assessment to demonstrate that care was given to this due diligence phase;
(3) Consent: Specific written consent from the data subject (i.e. individual whose data is being collected and processed) to transfer abroad can be sufficient. However, the Privacy Commissioner has indicated that such consent from data subjects should be express, voluntary and in writing. This raises questions in areas such as in the employer/employee context or if the provision of goods or services is conditional upon the provision of personal data;
(4) Statutory Exemptions: the PDPO provides certain statutory exemptions on the transfer of data where it is for purely domestic purposes, for the purposes of preventing crime, etc. These exceptions also apply in relation to the transfer of data abroad under s.33; and/or
(5) Due Diligence and Reasonable Precautions, including use of data transfer agreements or other non-contractual mechanisms: A final catch-all scenario applies where a data user has exercised appropriate due diligence and has taken reasonable precautions to ensure that the data transferred abroad will not be collected, used or transferred in a way that, if it were in Hong Kong, would be a breach of the PDPO. To assist in meeting this, the Privacy Commissioner provides its own data transfer agreement template to assist data users prepare enforceable data transfer contracts.
It should be stressed that even where one of the above exceptions appear to apply, the data user must still comply with the PDPO and in particular the all of the Data Privacy Principles ("DPP") which dealing with use, security, access and accuracy of personal data.
Who is affected?
S.33 is worded very broadly. With the exception of personal data being in transit, the effect is that almost any cross border transfer of personal data where the data has been collected in Hong Kong or the data user is based in Hong Kong will be caught by the s.33 prohibition. Obvious categories of data use and transfer may include:
(1) Sending of paper or electronic documents containing personal data abroad;
(2) Storing personal data outside Hong Kong. This could be physical storage of personal data or may include storage of personal data electronically or in the "cloud";
(3) Sharing personal data with third parties, related companies or employees of own company outside Hong Kong;
(4) Contracting with third party providers outside Hong Kong to process personal data (e.g. e-mailing, analytic or data cleansing providers); or
(5) Transfer of data outside Hong Kong for use in direct marketing.
The increased activity from the Privacy Commissioner in relation to s.33 suggests strongly that s.33 may be implemented in the very near future. Whilst the Guidance Note does not have the force of law, it does give a very good indication on how the Privacy Commissioner intends to enforce s. 33 when it does come into force.
Where a company already adopts the EU approach and has in place binding corporate rules in relation to privacy or have already adopted appropriate model clauses, then compliance with the Guidance Note may not prove overly onerous. However, for those companies who have not adopted this approach, it may be an appropriate time to review their internal and external privacy policies, their PICs and their business operations to ensure compliance with the new Guidance Note. As there are significant penalties for breach of s.33, companies should commence auditing their businesses practices and international data transfer processes now.
Implementation of s.33 in the near future would be a significant development in Hong Kong's data privacy regime and we expect to see increased activity and communication on this front in the near future.