Skip to main content

By Michelle Chan, Partner & David Allison, Counsel

Publication of Guidance Note by Hong Kong’s Privacy Commissioner is likely to be the first step in implementing a long awaited prohibition on cross-border personal data transfers.

INTRODUCTION
The s.33 of Hong Kong’s Personal (Data) Privacy Ordinance (“PDPO”) has been waiting 20 years to be implemented. S.33 prohibits the cross-border transfer of personal data from Hong Kong unless certain exceptions apply. Whilst the purpose of s.33 is to ensure that personal data transferred abroad is afforded similar protection to what would be expected in Hong Kong, due to concerns about the possible effect on international commerce (particularly online) the government had inadvertently not previously implemented s.33 despite it being a formal part of the PDPO since 1995.

In late 2014, the Privacy Commissioner indicated to the Government that it should have renewed focus on s.33 and consider implementing the provision. The Privacy Commissioner has now issued a Guidance Note and model clauses for dealing with cross-border data transfers. This increased activity indicates that s.33 and stronger restrictions for transfer of personal data will soon be implemented.

THE PROVISIONS
S.33 is worded very broadly. The effect is that almost any cross border transfer of personal data in Hong Kong will be caught by the s.33 prohibition (such as sending of paper or electronic documents containing personal data abroad, storing of personal data in ‘the cloud’ etc).

The only exceptions will be where the place of transfer is on a “White List” of countries approved by the Privacy Commissioner, to countries that have similar data privacy laws to Hong Kong, where specific written consent has been obtained from the data subject or where the data user can demonstrate that they have exercised suitable due diligence and have taken reasonable precautions to ensure that the data transferred abroad will not be collected, used or transferred in a way that would be a breach of the PDPO.

COMMENT
Because of the significant penalties for breach of s.33, companies should commence auditing their business practices and international data transfer processes now and ensure such transfers achieve the standards set down in the PDPO and DPPs.

Implementation of s.33 in the near future would be a significant development in Hong Kong’s data privacy regime and we expect to see increased activity and communication on this front in the near future.

Related Articles

Features

State of the Market 2024

by Sarah Wong, Nimitt Dixit |

In 2024, Asia’s legal markets remained in flux. On one hand, Singapore stood tall as a neutral arbitration hub, Indonesia’s booming economy beckoned global firms, and India’s legal scene sizzled with talent wars and ambitious expansions. And Saudi Arabia led a Middle Eastern renaissance, shaking up the region with bold reforms.

Features

RANKINGS: ALB Indonesia Firms to Watch 2024

by Asian Legal Business《亚洲法律杂志》, Bingqing Wang |

Driven by a resilient economy and changing regulations, Indonesia’s legal landscape is continuously evolving. This transformation is paving the way to emergence of a new generation of innovative law firms that combine strong local expertise with a global outlook.

Features

RANKINGS: Asia Top 15 IP Lawyers 2024

by Asian Legal Business《亚洲法律杂志》 |

Asian Legal Business continues to spotlight 15 leading IP practitioners across Asia who have excelled in the ever-evolving field of intellectual property.