By Michelle Chan, Partner & David Allison, Counsel
Publication of Guidance Note by Hong Kong’s Privacy Commissioner is likely to be the first step in implementing a long awaited prohibition on cross-border personal data transfers.
INTRODUCTION
The s.33 of Hong Kong’s Personal (Data) Privacy Ordinance (“PDPO”) has been waiting 20 years to be implemented. S.33 prohibits the cross-border transfer of personal data from Hong Kong unless certain exceptions apply. Whilst the purpose of s.33 is to ensure that personal data transferred abroad is afforded similar protection to what would be expected in Hong Kong, due to concerns about the possible effect on international commerce (particularly online) the government had inadvertently not previously implemented s.33 despite it being a formal part of the PDPO since 1995.
In late 2014, the Privacy Commissioner indicated to the Government that it should have renewed focus on s.33 and consider implementing the provision. The Privacy Commissioner has now issued a Guidance Note and model clauses for dealing with cross-border data transfers. This increased activity indicates that s.33 and stronger restrictions for transfer of personal data will soon be implemented.
THE PROVISIONS
S.33 is worded very broadly. The effect is that almost any cross border transfer of personal data in Hong Kong will be caught by the s.33 prohibition (such as sending of paper or electronic documents containing personal data abroad, storing of personal data in ‘the cloud’ etc).
The only exceptions will be where the place of transfer is on a “White List” of countries approved by the Privacy Commissioner, to countries that have similar data privacy laws to Hong Kong, where specific written consent has been obtained from the data subject or where the data user can demonstrate that they have exercised suitable due diligence and have taken reasonable precautions to ensure that the data transferred abroad will not be collected, used or transferred in a way that would be a breach of the PDPO.
COMMENT
Because of the significant penalties for breach of s.33, companies should commence auditing their business practices and international data transfer processes now and ensure such transfers achieve the standards set down in the PDPO and DPPs.
Implementation of s.33 in the near future would be a significant development in Hong Kong’s data privacy regime and we expect to see increased activity and communication on this front in the near future.