On 29 December, 2014, Hong Kong's Privacy Commissioner for Personal Data (the "Commissioner") published a guidance note concerning the potential  implementation of section 33 of the Personal Data (Privacy) Ordinance (the "PDPO"), which would restrict the export of personal data from Hong Kong.

Section 33 in Context

As the Commissioner makes clear in his guidance, the data export controls set out in section 33  have not yet been brought into force. There has been no official announcement that the Hong Kong  government intends to bring the provision into force. Minutes of the Legislative Council's Panel on  Constitutional Affairs meeting of 17 March, 2014 show that the issue was discussed there at a high  level as part of the Commissioner's annual report, but without any resolution to consider the issue  of data transfers further or pursue implementation of section 33. At present then, we do not even  know at this stage whether section 33, which was drafted as part of the PDPO's passage in 1995,  would be brought into force in its present form, the wording upon which the guidance is based.

These uncertainties mean that the guidance has a very unusual status as a guide to compliance with  the PDPO.

The Commissioner's view is that publication of his guidance will help businesses prepare for the  eventual implementation of section 33 and that, in any event, businesses should comply with the  guidance as a matter of their corporate governance responsibilities.

What is a Transfer?  What is Not?

Before getting into the detail of the guidance, it is helpful to understand its intended scope of  application and some important points made in this area in the guidance.

Some data transfers will be obvious enough.  A "transfer" will include situations in which personal  data is transmitted by a business (a "data user" in PDPO terminology) by sending paper documents or  electronic media containing the data to a place outside of Hong Kong for purposes such as  processing by an offshore service provider.

There are some important points of nuance:

Offshore Access to Personal Data Hosted in Hong Kong: The Commissioner's view is that data  processed offshore by a service provider accessing data in Hong Kong remotely from another  jurisdiction would amount to a transfer.  Many outsourcing and offshore service arrangements  involve service providers accessing data on the customer's local servers through Citrix or some  other secure interface, and it is the Commissioner's view that these would be transfers.

Remote Access to Personal Data from outside Hong Kong: More generally, the Commissioner is of the view that personal data stored on servers accessed remotely from outside Hong Kong would also amount to a  transfer.  An example given is the situation in which employees of a multi- national company access  personal data hosted on Hong Kong servers from outside Hong Kong.

Intra-Group Transfers of Personal Data: The guidance also states that processing of a Hong Kong  subsidiary's personal data by another affiliate in the same group offshore would amount to a  transfer of Personal Data.  Centralised group databases and shared services centres located outside  of Hong Kong would therefore trigger the export provisions in the same way as arms' length  arrangements do.

The guidance does exclude some processing scenarios from the scope of a section 33 transfer.  For  example, routing of internet traffic through offshore servers would not amount to a transfer where  the sender and intended recipient are both in Hong Kong.

What Are the Section 33 Requirements?

Section 33 provides that personal data may only be transferred from Hong Kong when at least one of  the following conditions has been met:

  1. the transfer destination has been included in a "White List" published by the Commissioner  in the Gazette;
  2. the data user has reasonable grounds for believing that the transfer destination has in  force any law which is substantially similar to, or serves the same purposes as, the PDPO;
  3. the data user has consented in writing to the transfer;
  4. the data user has reasonable grounds for believing that the transfer is for the avoidance or  mitigation of adverse action against the data subject and it is not practicable to obtain the data  subject's consent but the data user has reasonable grounds to believe that consent would be given;
  5. the personal data is exempted from data protection principle 3 ("DPP 3") under Part VIII of  the PDPO; or
  6. the data user has taken all reasonable precautions and exercised all due diligence to ensure  that the data will not, in the transfer destination, be collected, held, processed or used in any  manner which, if it were Hong Kong, be a breach of the PDPO. Kong, be a breach of the PDPO.

Each of these conditions is considered in turn:

Condition 1: The White List

In his 2013 report to the Legislative Council Panel on Constitutional Affairs, the Commissioner  reported that he had carried out a survey of 50 jurisdictions assessing their suitability for  inclusion in the section 33 White List of permitted destinations. He indicated that this report had  been provided to the government: http://www.legco.gov.hk/yr13-  14/english/panels/ca/papers/cacb2-790-1-e.pdf.

As the survey, the reasoning behind the Commissioner's assessment and any conclusions drawn from  the survey by the government have not been made public, we do not know at this stage which  jurisdictions are on the White List and which were marked for rejection and why.

Condition 2: Equivalent Data Privacy Law

In the absence of seeing the White List and understanding what countries the Commissioner  considered and rejected as part of the Commissioner's survey, it is not possible to assess how  realistic it is that a data user could make use of Condition 2 as the basis for a transfer. The  guidance states that the intention is that Condition 2 would only be available in relation to  jurisdictions that have not been considered by the Commissioner, rather than jurisdictions  considered and rejected, and that legal advice should be sought prior to forming a view on the  adequacy of a destination jurisdiction. We would note that the wording in section 33 makes no  reference to discounting countries already considered as part of the White List. Given the pace of  change of data privacy regulation in the region and across the world, a White List compiled in  2012-2013 would already be out of date and countries rejected may have improved, or in future will  improve, their regulations to the point of being equivalent.

Condition 3: Data Subject's Written Consent

A data subject's written consent would be a basis for making transfers. The guidance elaborates  that the consent would need to be express and voluntary and that the data subjects would need to be  informed of the purpose of the transfer, the destination of the transfer and have explained to them  that their personal data may not be protected at the same or any similar level as it would in Hong  Kong. The guidance indicates that a separate tick box would be needed in order for the consent to  be sufficiently clear.

Condition 4: Avoidance or Mitigation of Adverse Action

The guidance indicates that this condition would be of narrow application, an example given of  instances in which the data subject would suffer a financial loss if data is not transferred for  reasons made necessary by the performance of a contract that he or she is party to.

Condition 5: Part VIII Exemptions to DPP 3

The Part VIII exemptions to DPP 3 include a range of circumstances dealt with in Part VIII of the  PDPO, including processing for the purposes of the prevention or detection of crime, for the purposes of Hong Kong legal proceedings and for the purposes of news publication.

A point of interest here is how section 33 would, if enacted, impact disclosures in response to  requests or demands by foreign regulators and law enforcement officials, which are increasingly  being seen in Hong Kong in the wake of the financial crisis. Given that the Part VIII exemptions  have separately been given a restrictive interpretation in relation to foreign regulatory  investigations, it is likely that an implementation of section 33 in the manner proposed by the  guidance would add an additional hurdle that would need to be cleared in the context of many  regulatory investigations.

Condition 6: Due Diligence

Condition 6 would be of particular interest to many Hong Kong businesses as a likely route to  compliance with section 33 if a satisfactory data subject consent has not already been obtained or  the transfer destination is not on the Commissioner's White List.

In the appendix to the guidance, the Commissioner has published a set of model clauses for  incorporation into contracts between the data user and its transferees.  The guidance states that  non-contractual measures, if adequately documented may also be used to the same end, including the  following non-exhaustive examples:

  • carrying out due diligence into the technical competence and organizational measures governing  the use and processing of personal data;
  • assessing policies and procedures relating to personal data, including steps taken to train  relevant personnel and security measures;
  • in the context of intra-group transfers, ensuring that effective group policies meeting the  requirements of the PDPO are in place; and
  • rights to audit and inspect data processing arrangements.

The Model Clauses: mandatory or not?

Page 8 of the guidance states that the model clauses are the Commissioner's recommendation only and  that use of the clauses would not be mandatory.  However, in the words that follow and in the  schedule itself, there is wording suggesting that the "Core Clauses" set out in Section 1 would be  mandatory in order to achieve compliance with the PDPO and the flexibility offered by the  Commissioner would relate to whether or not the non-mandatory "Additional Clauses" in Section 2 are  incorporated into the agreement and to the fact that parties are free to incorporate additional  terms as commercially agreed.

Given that the guidance states that use of the model terms would be one of several options  available to achieve a compliant transfer and that non-contractual means may also achieve  compliance, it seems odd that the option to apply the model clauses would generate this inflexibility.

Data Users and Data Processors Too?

It appears to be implicit to the guidance that the Condition 6 requirements described above relate  to transfers as between data users: i.e. transfers made by a business to another business that also  determines the purposes for which personal data may be processed, and not transfers to data  processors who only process data in accordance with the business's instructions.  This inference is  based on the statement on page 7 of the guidance that "transferees outside Hong Kong are required  to observe the requirements under DPP2 to DPP6." This statement is not true of data processors, who  are not directly regulated under the PDPO. However, in the preamble to the appendix to the  guidance, which sets out the model clauses, there is reference to incorporating the terms into  outsourcing agreements, which would suggest that the Commissioner intends the opposite.

If the Commissioner's intention is to have the model clauses apply both to data user-data user  transfers and data user-data processor transfers, a preferable approach would have been to follow  the European Commission's approach to the same issue under European Directive 95/46, which involves  separate sets of model clauses for each scenario, given the different regulatory requirements and  lighter touch to regulation in a "pure data processing" scenario: http://ec.europa.eu/justice/data-  protection/document/international- transfers/transfer/index_en.htm.

Data Subject Enforcement

One of the most controversial features of the model clauses is the provision, described as an  optional requirement in Section 2 of the schedule to the guidance, granting data subjects direct  rights of enforcement against both transferors and transferees.  These rights would be enabled  through the pending enactment of the Contracts (Rights of Third Parties) Ordinance, which was  gazetted on 5 December, 2014 but has not yet been brought into force.

Can the Model Clauses Be Agreed?

We expect that businesses will find significant difficulties in agreeing the model clauses in their  present form.

Reading the model clauses in the pure data processing context, we highly doubt that vendors of data  processing services would be agreeable to these terms, particularly given there is no basis under  the PDPO for the obligations imposed upon them other than the requirement on data users to obtain  undertakings from data processors to comply with relevant parts of DPP 2 and 4.  Clause 3, which  purports to make transferors and transferees jointly liable to data subjects for damages arising  from the transfer would represent a significant shift from market practice risk allocations in data  processing agreements.

A number of the model clauses do look more appropriate to the data user – data user context, but  many of the more difficult clauses dealing with risk allocation only look appropriate if third  party rights of enforcement are given to data subjects, a feature which remains optional and does  not seem an obvious way to improve the compliance position for the benefit of data subjects.  The over-riding problem is that the Core Clauses are, on one reading  at least, expressed to be mandatory and it is not easy to see how they can be easily integrated with typical commercial outcomes.

For example, clause 5.1 provides that a simple breach of the model clauses by the transferee would  give the transferor the right to terminate the agreement immediately upon notice, whether or not  the breach is actually material and whether or not a remedy for the breach is possible or has  already been achieved. Given the administrative approach to the PDPO, which seeks to resolve  matters of non-compliance and improve business practices rather than unduly restrict data  processing, a "hair trigger" termination right seems inappropriate.

Conclusions

We believe that the Commissioner's guidance on cross-border data transfers will be highly  controversial.   The controversial aspects of the guidance are compounded by the fact that there is  at present no proposal by the government to bring the enactment of section 33 forward and therefore  no pending statutory instrument to evaluate the guidance against. Furthermore, the guidance is also  unclear in a number of key aspects, making its interpretation difficult.

While it is clear that Hong Kong businesses are increasingly seeing data privacy compliance as good  business practice – and support in achieving good practice is likely to be well received – we  believe that the guidance would be well served by business input.   The Commissioner has welcomed  feedback on the guidance. Hogan Lovells intends to submit more detailed comments to the  Commissioner for his consideration. We would greatly appreciate your feedback and views.

The Commissioner's media statement concerning the guidance may be found at:  http://www.pcpd.org.hk/english/news_events/media_statemen ts/press_20141229.html.

The Commissioner's guidance may be found at: http://www.pcpd.org.hk/english/resources_centre/publications/ guidance/files/GN_crossborder_e.pdf.