Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO) deals with the transfer of personal data, and prohibits the transfer of personal data outside Hong Kong except in specified circumstances, such as when:
- the data protection laws of the foreign country are similar to the PDPO; or
- the data subject has consented in writing to the transfer.
However, Section 33 has yet to be brought into force since its enactment in 1995, and there is at present, no timetable for its implementation. Nevertheless, on December 29, 2014, the Hong Kong Privacy Commissioner issued updated guidelines on Section 33, known as the “Guidance on Personal Data Protection in Cross-border Data Transfer” (the Revised Guidance), which includes a Model Contract for data transfer. The Revised Guidance gives more comprehensive insight into how the Privacy Commissioner will interpret Section 33. As Section 33 is still not in force, it does not significantly affect the way entities must handle the transfer of personal data currently. That said, the Privacy Commissioner has urged the Hong Kong Government to renew its focus on the implementation of Section 33; and to assist with its implementation, the Privacy Commissioner has provided the Government with a “White List” of jurisdictions with laws similar to Section 33 (the countries on the White List have not been made publicly available to-date). Given the growing global emphasis on data protection, and the recent attention paid to Section 33 by the Privacy Commissioner, the Revised Guidelines could very well be an indication that Section 33 will be implemented in the near future.
On a related note, the Privacy Commissioner also issued the “‘Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry” in October 2014, and one of its guidelines included the recommendation that if banks and financial institutions wish to transfer their customers’ personal data to a place outside Hong Kong, they should inform their customers of the kinds of data to be transferred, the purpose of the transfer, and if appropriate, the place to which the data is to be transferred.
The incumbent Privacy Commissioner has been particularly active in enforcing and broadening the scope of the PDPO. As such, companies with operations in Hong Kong or which hold data belonging to customers based in Hong Kong would be well-advised to implement the provisions in the Guidance, especially since the provisions are not particularly onerous and doing so would bring the data protection policies for the company in line with many other jurisdictions in Asia.