Section 33 of the Personal Data (Privacy) Ordinance (Cap. 486) (the “PDPO”) prohibits the transfer of personal data to places outside of Hong Kong unless certain conditions are met, but it is not currently in force and there is still no indication as to when it will be brought in to force.
However, recently (29 December 2014) the Hong Kong Privacy Commissioner issued its “Guidance on Personal Data Protection in Cross-border Data Transfer” which is supposed to serve as a practical guide for organisations that control the collection and use of personal data (“data users”) to prepare for the implementation of Section 33, leading some to believe that it will be coming into force soon. The Guidance provides details on how to satisfy the conditions set out in Section 33 for the transfer of personal data to places outside of Hong Kong, as summarised below:
- The White List – data users can transfer personal data to countries included on a “white list”. The Privacy Commissioner has assessed 50 jurisdictions for inclusion on this list, but this list is yet to be published.
- Similar laws – the transfer of personal data is permitted to countries which have “any law which is substantially similar to, or serves the same purposes as” the PDPO. This is intended to address the jurisdictions which have not been assessed by the Privacy Commissioner.
- Written Consent – personal data can be transferred outside of Hong Kong if the data subject has expressly and voluntarily consented in writing and such consent has not been withdrawn.
- Avoidance or mitigation of adverse action – data users can transfer personal data outside of Hong Kong if they have reasonable grounds for believing that the transfer is necessary for the avoidance or mitigation of adverse action against a data subject but it is not practicable to obtain the consent of the data subject beforehand. The Guidance states that that this exemption will be of narrow application.
- Part VIII Exemptions – personal data can be transferred outside of Hong Kong if an exemptions applies, which are:- for domestic purposes; for the prevention or detection of a crime; for health purposes; for Hong Kong legal proceedings; for the purposes of a news publication; for statistics and research; and in the event of an emergency.
- Reasonable precautions and due diligence – Data users can transfer personal data outside of Hong Kong if they can show that the personal data concerned will be given the equivalent protection to that provided for by the PDPO. To assist data users to satisfy this requirement the Privacy Commissioner has prepared a set of model data transfer clauses which can be used and adapted by data users to develop an enforceable contract for their cross-border transfers. Alternatively, data users may also adopt non- contractual means to satisfy this condition.
The Privacy Commissioner has stated that regardless of when Section 33 will take effect, data users are encouraged to adopt the practices recommended in the Guidance as part of their corporate governance responsibility to protect personal data.