On 29 December 2014, the Office of the Privacy Commissioner for Personal Data (PCPD) published a Guidance Note entitled “Guidance on Personal Data Protection in Cross-border Data Transfer” (the GuidanceNote). The Guidance Note can be accessed here.
The Guidance Note is of particular relevance to multi-national corporations (MNC) because their corporate structure and business will inevitably involve a significant amount of personal data being transferred between entities located in different jurisdictions (eg Hong Kong, China, Singapore, Europe and the United States).
This bulletin highlights the relevant personal data protection regime and sets out a few practical issues that clients should be aware of.
History / Background
In Hong Kong, personal data is mainly protected by the Personal Data (Privacy) Ordinance (Cap. 486, PDPO). The PDPO was enacted in 1995 and section 33 (Section 33) remains the only provision in the PDPO which is still not in operation. In general, Section 33 prohibits the transfer of personal data to places outside Hong Kong unless the law of the overseas jurisdiction offers similar protection to personal data.
A number of jurisdictions in the APAC region including Singapore have already put in place comprehensive data protection laws covering, amongst other things, overseas transfer of personal data. In order to preserve Hong Kong’s status as an international finance centre and data hub, it is anticipated that Section 33 will be implemented in the near future. The Guidance Note was issued by the PCPD with a view to assisting data users to prepare for the implementation of Section 33.
What constitutes a cross-border transfer of personal data which is subject to Section 33?
Section 33 applies to transfer of personal data (i) from Hong Kong to a place outside Hong Kong; and (ii) between two other jurisdictions where the transfer is controlled by a Hong Kong data user. The following situations will trigger the restrictions under Section 33:
- sending or transmitting personal data from Hong Kong to another jurisdiction for storage and/or processing (eg by sending paper or electronic documents containing personal data by courier, post or email);
- engaging third party data processors outside Hong Kong (even if the personal data is stored in Hong Kong);
- passing customers’ personal data to contractors outside Hong Kong;
- allowing employees of a sister overseas company to download or access personal data from outside Hong Kong in a centralised database, even if the database is stored in Hong Kong; and
- storing personal data in the cloud if the cloud server is accessible outside Hong Kong.
When can personal data be transferred to an overseas jurisdiction?
A cross-border transfer of personal data is allowed if any one of the following exceptions set out in Section 33 is fulfilled1:
- The data transferee is located in a jurisdiction “whitelisted” by the PCPD in the Gazette as a jurisdiction that has in force a data protection regime which is substantially similar to, or serves the same purposes as, the PDPO;
- The data user has “reasonable grounds” for believing that the destination has a data protection regime in force which is substantially similar to, or serves the same purposes as, the PDPO;
- The data subject has consented to the transfer in writing;
- The data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be handled (eg collected, held, processed or used (including disclosure and transfer)) in a manner that would be a contravention of PDPO, and putting in place an enforceable contract between the parties to the transfer is one of the methods to satisfy this exception. Alternatively, data users may also adopt non-contractual means to satisfy this exception;
- The data user has reasonable grounds for believing that: (i) the transfer is to avoid or mitigate adverse action against the data subject; (ii) it is not practicable to obtain written consent from the data subject; and (iii) the data subject would have given consent if it had been practicable to obtain it; or
- An exemption under Part VIII of PDPO applies2.
Sanctions for breach
Currently, PCPD has power to investigate any suspected breach of Data Protection Principles under the PDPO. PCPD may issue an enforcement notice in respect of any breach, which will require the data user to remedy the breach and prevent future occurrences. Failure to comply with an enforcement notice is a criminal offence punishable by a fine and imprisonment. Further, the contravention of certain requirements under the PDPO (excluding, amongst others, the Data Protection Principles) can constitute a criminal offence in itself punishable by a fine.
Data users will continue to be subject to investigation and enforcement actions taken by the PCPD after the implementation of Section 33. In addition, a data user who, without reasonable excuse, contravenes Section 33 would commit a criminal offence in itself.
Practical Issue (1): Transfer of personal data to Singapore
In general, the objective of Section 33 is to ensure that the data transferred to an overseas jurisdiction would be properly protected by law. There is similar provision under the laws of Singapore. In particular, the recently enacted Personal Data Protection Act 2012 (PDPA) requires a data user to ascertain that the recipient of personal data in an overseas jurisdiction is bound by legally enforceable obligation such that protection to the relevant personal data is up to a standard that is at least comparable to the protection under the PDPA. The PDPA requirement can be satisfied by, amongst other exceptions, (i) obtaining a valid consent from the data subject for the transfer3; or (ii) imposing legally enforceable obligations on the data transferee to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the PDPA. These two exceptions are similar to the “consent” and “due diligence” exceptions to Section 33 but “non-contractual means” to impose obligations on a data transferee would not satisfy the PDPA requirement. It should also be noted that there is no “whitelist” exception under PDPA. For further details on the Singapore data protection regime and the PDPA, please see two bulletins issued by our Singapore Office4 here andhere.
Practical Issue (2): Handling of personal data by financial institutions
Financial regulators in both Hong Kong and Singapore have issued a number of compulsory and advisory guidelines and circulars in relation to cyber security and handling of personal data. Please see our earlier bulletins on some of these regulatory guidelines and circulars: here, here, and here.
Protection of personal data is an issue that regulators take seriously. As such, the issue of cross-border transfer of personal data should be front of mind for senior management.
Practical Issue (3): Adoption of cloud storage and outsourcing technology
Companies that are adopting or want to adopt cloud storage solutions must consider the scope of cross-border transfer of personal data restrictions because such solutions will involve cross-border transfer of personal data if the servers are located outside Hong Kong.
Express written confirmation that contains all necessary consents from the data subjects should be obtained to ensure compliance with the PDPO, unless other exemptions to Section 33 apply.
Detailed written contracts should also be entered into with the relevant cloud solution provider to ensure that (i) personal data transferred to and stored overseas will be subject to a standard of protection which is at least comparable to that under the PDPO, (ii) the cloud solution provider is required to protect, retain, store and destroy personal data in their possession in full compliance with the PDPO, and only processes and uses (including disclosure and transfer) data pursuant to the written instructions of the data user, and (iii) data user retains a right to control access to the data and conduct audit.
Companies should review existing arrangements and consider taking necessary measures to update such arrangements.
Section 33 is still not in operation in Hong Kong. The issuance of the Guidance Note serves as an advance notice to data users that (i) Section 33 may be implemented soon, and (ii) associated regulatory requirements will likely be expected to be fully complied with within a short period of time.
Clients, particularly MNC, are encouraged to start developing and establishing practices recommended in the Guidance Note as part of their corporate governance responsibility to protect personal data. Lawyers in our Hong Kong, Singapore and other offices, with experience in financial services regulatory and TMT (telecoms, media and technology), can advise clients on issues arising from cross-border transfer of personal data, the workaround (eg data anonymisation) and other related matters.