On 29 December, 2014, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance (the "PDPO"), which would restrict the export of personal data from Hong Kong.
Section 33 in Context
As the Commissioner makes clear in his guidance, the data export controls set out in section 33 have not yet been brought into force. There has been no official announcement that the Hong Kong government intends to bring the provision into force. Minutes of the Legislative Council's Panel on Constitutional Affairs meeting of 17 March, 2014 show that the issue was discussed there at a high level as part of the Commissioner's annual report, but without any resolution to consider the issue of data transfers further or pursue implementation of section 33. At present then, we do not even know at this stage whether section 33, which was drafted as part of the PDPO's passage in 1995, would be brought into force in its present form, the wording upon which the guidance is based.
These uncertainties mean that the guidance has a very unusual status as a guide to compliance with the PDPO.
The Commissioner's view is that publication of his guidance will help businesses prepare for the eventual implementation of section 33 and that, in any event, businesses should comply with the guidance as a matter of their corporate governance responsibilities.
What is a Transfer? What is Not?
Before getting into the detail of the guidance, it is helpful to understand its intended scope of application and some important points made in this area in the guidance.
Some data transfers will be obvious enough. A "transfer" will include situations in which personal data is transmitted by a business (a "data user" in PDPO terminology) by sending paper documents or electronic media containing the data to a place outside of Hong Kong for purposes such as processing by an offshore service provider.
There are some important points of nuance:
Offshore Access to Personal Data Hosted in Hong Kong: The Commissioner's view is that data processed offshore by a service provider accessing data in Hong Kong remotely from another jurisdiction would amount to a transfer. Many outsourcing and offshore service arrangements involve service providers accessing data on the customer's local servers through Citrix or some other secure interface, and it is the Commissioner's view that these would be transfers.
Remote Access to Personal Data from outside Hong Kong: More generally, the Commissioner is of the view that personal data stored on servers accessed remotely from outside Hong Kong would also amount to a transfer. An example given is the situation in which employees of a multi- national company access personal data hosted on Hong Kong servers from outside Hong Kong.
Intra-Group Transfers of Personal Data: The guidance also states that processing of a Hong Kong subsidiary's personal data by another affiliate in the same group offshore would amount to a transfer of Personal Data. Centralised group databases and shared services centres located outside of Hong Kong would therefore trigger the export provisions in the same way as arms' length arrangements do.
The guidance does exclude some processing scenarios from the scope of a section 33 transfer. For example, routing of internet traffic through offshore servers would not amount to a transfer where the sender and intended recipient are both in Hong Kong.
What Are the Section 33 Requirements?
Section 33 provides that personal data may only be transferred from Hong Kong when at least one of the following conditions has been met:
- the transfer destination has been included in a "White List" published by the Commissioner in the Gazette;
- the data user has reasonable grounds for believing that the transfer destination has in force any law which is substantially similar to, or serves the same purposes as, the PDPO;
- the data user has consented in writing to the transfer;
- the data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject and it is not practicable to obtain the data subject's consent but the data user has reasonable grounds to believe that consent would be given;
- the personal data is exempted from data protection principle 3 ("DPP 3") under Part VIII of the PDPO; or
- the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in the transfer destination, be collected, held, processed or used in any manner which, if it were Hong Kong, be a breach of the PDPO. Kong, be a breach of the PDPO.
Each of these conditions is considered in turn:
Condition 1: The White List
In his 2013 report to the Legislative Council Panel on Constitutional Affairs, the Commissioner reported that he had carried out a survey of 50 jurisdictions assessing their suitability for inclusion in the section 33 White List of permitted destinations. He indicated that this report had been provided to the government: http://www.legco.gov.hk/yr13- 14/english/panels/ca/papers/cacb2-790-1-e.pdf.
As the survey, the reasoning behind the Commissioner's assessment and any conclusions drawn from the survey by the government have not been made public, we do not know at this stage which jurisdictions are on the White List and which were marked for rejection and why.
Condition 2: Equivalent Data Privacy Law
In the absence of seeing the White List and understanding what countries the Commissioner considered and rejected as part of the Commissioner's survey, it is not possible to assess how realistic it is that a data user could make use of Condition 2 as the basis for a transfer. The guidance states that the intention is that Condition 2 would only be available in relation to jurisdictions that have not been considered by the Commissioner, rather than jurisdictions considered and rejected, and that legal advice should be sought prior to forming a view on the adequacy of a destination jurisdiction. We would note that the wording in section 33 makes no reference to discounting countries already considered as part of the White List. Given the pace of change of data privacy regulation in the region and across the world, a White List compiled in 2012-2013 would already be out of date and countries rejected may have improved, or in future will improve, their regulations to the point of being equivalent.
Condition 3: Data Subject's Written Consent
A data subject's written consent would be a basis for making transfers. The guidance elaborates that the consent would need to be express and voluntary and that the data subjects would need to be informed of the purpose of the transfer, the destination of the transfer and have explained to them that their personal data may not be protected at the same or any similar level as it would in Hong Kong. The guidance indicates that a separate tick box would be needed in order for the consent to be sufficiently clear.
Condition 4: Avoidance or Mitigation of Adverse Action
The guidance indicates that this condition would be of narrow application, an example given of instances in which the data subject would suffer a financial loss if data is not transferred for reasons made necessary by the performance of a contract that he or she is party to.
Condition 5: Part VIII Exemptions to DPP 3
The Part VIII exemptions to DPP 3 include a range of circumstances dealt with in Part VIII of the PDPO, including processing for the purposes of the prevention or detection of crime, for the purposes of Hong Kong legal proceedings and for the purposes of news publication.
A point of interest here is how section 33 would, if enacted, impact disclosures in response to requests or demands by foreign regulators and law enforcement officials, which are increasingly being seen in Hong Kong in the wake of the financial crisis. Given that the Part VIII exemptions have separately been given a restrictive interpretation in relation to foreign regulatory investigations, it is likely that an implementation of section 33 in the manner proposed by the guidance would add an additional hurdle that would need to be cleared in the context of many regulatory investigations.
Condition 6: Due Diligence
Condition 6 would be of particular interest to many Hong Kong businesses as a likely route to compliance with section 33 if a satisfactory data subject consent has not already been obtained or the transfer destination is not on the Commissioner's White List.
In the appendix to the guidance, the Commissioner has published a set of model clauses for incorporation into contracts between the data user and its transferees. The guidance states that non-contractual measures, if adequately documented may also be used to the same end, including the following non-exhaustive examples:
- carrying out due diligence into the technical competence and organizational measures governing the use and processing of personal data;
- assessing policies and procedures relating to personal data, including steps taken to train relevant personnel and security measures;
- in the context of intra-group transfers, ensuring that effective group policies meeting the requirements of the PDPO are in place; and
- rights to audit and inspect data processing arrangements.
The Model Clauses: mandatory or not?
Page 8 of the guidance states that the model clauses are the Commissioner's recommendation only and that use of the clauses would not be mandatory. However, in the words that follow and in the schedule itself, there is wording suggesting that the "Core Clauses" set out in Section 1 would be mandatory in order to achieve compliance with the PDPO and the flexibility offered by the Commissioner would relate to whether or not the non-mandatory "Additional Clauses" in Section 2 are incorporated into the agreement and to the fact that parties are free to incorporate additional terms as commercially agreed.
Given that the guidance states that use of the model terms would be one of several options available to achieve a compliant transfer and that non-contractual means may also achieve compliance, it seems odd that the option to apply the model clauses would generate this inflexibility.
Data Users and Data Processors Too?
It appears to be implicit to the guidance that the Condition 6 requirements described above relate to transfers as between data users: i.e. transfers made by a business to another business that also determines the purposes for which personal data may be processed, and not transfers to data processors who only process data in accordance with the business's instructions. This inference is based on the statement on page 7 of the guidance that "transferees outside Hong Kong are required to observe the requirements under DPP2 to DPP6." This statement is not true of data processors, who are not directly regulated under the PDPO. However, in the preamble to the appendix to the guidance, which sets out the model clauses, there is reference to incorporating the terms into outsourcing agreements, which would suggest that the Commissioner intends the opposite.
If the Commissioner's intention is to have the model clauses apply both to data user-data user transfers and data user-data processor transfers, a preferable approach would have been to follow the European Commission's approach to the same issue under European Directive 95/46, which involves separate sets of model clauses for each scenario, given the different regulatory requirements and lighter touch to regulation in a "pure data processing" scenario: http://ec.europa.eu/justice/data- protection/document/international- transfers/transfer/index_en.htm.
Data Subject Enforcement
One of the most controversial features of the model clauses is the provision, described as an optional requirement in Section 2 of the schedule to the guidance, granting data subjects direct rights of enforcement against both transferors and transferees. These rights would be enabled through the pending enactment of the Contracts (Rights of Third Parties) Ordinance, which was gazetted on 5 December, 2014 but has not yet been brought into force.
Can the Model Clauses Be Agreed?
We expect that businesses will find significant difficulties in agreeing the model clauses in their present form.
Reading the model clauses in the pure data processing context, we highly doubt that vendors of data processing services would be agreeable to these terms, particularly given there is no basis under the PDPO for the obligations imposed upon them other than the requirement on data users to obtain undertakings from data processors to comply with relevant parts of DPP 2 and 4. Clause 3, which purports to make transferors and transferees jointly liable to data subjects for damages arising from the transfer would represent a significant shift from market practice risk allocations in data processing agreements.
A number of the model clauses do look more appropriate to the data user – data user context, but many of the more difficult clauses dealing with risk allocation only look appropriate if third party rights of enforcement are given to data subjects, a feature which remains optional and does not seem an obvious way to improve the compliance position for the benefit of data subjects. The over-riding problem is that the Core Clauses are, on one reading at least, expressed to be mandatory and it is not easy to see how they can be easily integrated with typical commercial outcomes.
For example, clause 5.1 provides that a simple breach of the model clauses by the transferee would give the transferor the right to terminate the agreement immediately upon notice, whether or not the breach is actually material and whether or not a remedy for the breach is possible or has already been achieved. Given the administrative approach to the PDPO, which seeks to resolve matters of non-compliance and improve business practices rather than unduly restrict data processing, a "hair trigger" termination right seems inappropriate.
We believe that the Commissioner's guidance on cross-border data transfers will be highly controversial. The controversial aspects of the guidance are compounded by the fact that there is at present no proposal by the government to bring the enactment of section 33 forward and therefore no pending statutory instrument to evaluate the guidance against. Furthermore, the guidance is also unclear in a number of key aspects, making its interpretation difficult.
While it is clear that Hong Kong businesses are increasingly seeing data privacy compliance as good business practice – and support in achieving good practice is likely to be well received – we believe that the guidance would be well served by business input. The Commissioner has welcomed feedback on the guidance. Hogan Lovells intends to submit more detailed comments to the Commissioner for his consideration. We would greatly appreciate your feedback and views.
The Commissioner's media statement concerning the guidance may be found at: http://www.pcpd.org.hk/english/news_events/media_statemen ts/press_20141229.html.
The Commissioner's guidance may be found at: http://www.pcpd.org.hk/english/resources_centre/publications/ guidance/files/GN_crossborder_e.pdf.