Skip to main content

By Michelle Chan, Partner & David Allison, Counsel

Publication of Guidance Note by Hong Kong’s Privacy Commissioner is likely to be the first step in implementing a long awaited prohibition on cross-border personal data transfers.

INTRODUCTION
The s.33 of Hong Kong’s Personal (Data) Privacy Ordinance (“PDPO”) has been waiting 20 years to be implemented. S.33 prohibits the cross-border transfer of personal data from Hong Kong unless certain exceptions apply. Whilst the purpose of s.33 is to ensure that personal data transferred abroad is afforded similar protection to what would be expected in Hong Kong, due to concerns about the possible effect on international commerce (particularly online) the government had inadvertently not previously implemented s.33 despite it being a formal part of the PDPO since 1995.

In late 2014, the Privacy Commissioner indicated to the Government that it should have renewed focus on s.33 and consider implementing the provision. The Privacy Commissioner has now issued a Guidance Note and model clauses for dealing with cross-border data transfers. This increased activity indicates that s.33 and stronger restrictions for transfer of personal data will soon be implemented.

THE PROVISIONS
S.33 is worded very broadly. The effect is that almost any cross border transfer of personal data in Hong Kong will be caught by the s.33 prohibition (such as sending of paper or electronic documents containing personal data abroad, storing of personal data in ‘the cloud’ etc).

The only exceptions will be where the place of transfer is on a “White List” of countries approved by the Privacy Commissioner, to countries that have similar data privacy laws to Hong Kong, where specific written consent has been obtained from the data subject or where the data user can demonstrate that they have exercised suitable due diligence and have taken reasonable precautions to ensure that the data transferred abroad will not be collected, used or transferred in a way that would be a breach of the PDPO.

COMMENT
Because of the significant penalties for breach of s.33, companies should commence auditing their business practices and international data transfer processes now and ensure such transfers achieve the standards set down in the PDPO and DPPs.

Implementation of s.33 in the near future would be a significant development in Hong Kong’s data privacy regime and we expect to see increased activity and communication on this front in the near future.

Related Articles

RANKINGS: ALB Asia Top 50 Largest Law Firms 2024

In an era of global uncertainty, the legal industry in Asia is experiencing significant shifts, with the size and scale of law firms becoming crucial factors in their ability to serve clients effectively.

RANKING: Fast 30: Asia’s Fastest Growing Firms 2024

As the legal landscape in Asia evolves rapidly, an increasing number of law firms are capitalizing on the region's economic growth by adopting innovative technologies and strategic approaches to meet the demands of a more interconnected global market.

OFFSHORE OUTLOOK: 2025

by Nimitt Dixit |

In the coming year, offshore centres will have to balance privacy and transparency as they adapt to new financial trends, lawyers say.