Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong except in circumstances  specified in the PDPO.

Although section 33 is not yet in operation, this dormant provision may well come into force in the near future. Over the last 12 or   so months, it is known that Hong Kong’s Privacy Commissioner (the Commissioner) and the Hong Kong Government, have been working towards the activation of section 33,  so that restrictions on the transfer of personal data cross-borders are implemented. In December 2014, the Commissioner published a Guidance Note on Personal Data  Protection in Cross-Border Data Transfer (the Guidance Note) for data users to prepare for the implementation  of section 33. Accordingly, data users should review their existing privacy policies to ensure  compliance with the cross-border transfer restrictions once section 33 is implemented.

Personal data

Personal data means any recorded information relating to an identifiable living individual.  Examples of personal data are identity card numbers, telephone numbers, addresses, fingerprints,  names, medical and employment records, and photos.

What is section 33?

Section 33 of the PDPO prohibits cross-border data transfers in  two primary scenarios, namely (i) transfers of personal data from Hong Kong to a place outside Hong Kong; and (ii) transfers of personal data between two other  jurisdictions where the transfer is controlled by a Hong Kong data user.

The provision therefore has potentially far-reaching implications as it prohibits transfer of  personal data abroad by a person who controls the collection, holding, processing or use of the data in Hong Kong. However, a person who is merely transmitting data on behalf of  another and not for any of his own purposes, will not be subject to section 33 pursuant to section  2(12) of the PDPO. An example of this exception is a telecommunication service provider who solely  transmits personal data for other data users.

Typical examples of data use and transfer (as identified by the Commissioner) which will trigger the application of section 33 include the following:

  • Engaging a third party service provider situated outside Hong Kong to process personal data;
  • Storing personal data in a cloud server that is accessible outside of Hong Kong;
  • Sending an email containing personal data to a recipient located outside Hong Kong; 
  • Sharing personal data of customers and/or employees with related companies around the world in a centralised database;  or
  • Passing customers’ personal data to contractors situated outside Hong Kong for the purpose of  direct marketing.

Contravention Data users who, without reasonable excuse, contravene section 33 are liable to a fine of up to  HK$10,000 per breach. The Commissioner may also issue enforcement notices to data users who have  contravened section 33. Contravention of an enforcement notice issued by the Commissioner is an offence which carries a  fine and imprisonment, and a daily penalty in the case of a continuing offence after conviction.

Exceptions to section 33 The exceptions to section 33 are as follows:

  1. White List jurisdictions

The transfer of personal data to a place that has been specified by notice in the Gazette by the Commissioner. The Commissioner currently describes this list of jurisdiction as the White List.  The White List is a fluid/dynamic listing, which is – and will be – subject to ongoing review by  the Commissioner from time to time. The places specified in the White List are regarded to have  substantially similar data protection laws as the PDPO.

  1. Similar PDPO protections

This exception applies when the data user has reasonable grounds for believing that a jurisdiction,  though not in the White List, has in force laws which are substantially similar to, or serve the same purposes as the PDPO. To  satisfy this requirement, a data user is expected to undertake professional assessment and seek  legal advice. Subjective views, even if honestly held, will not in itself be sufficient.

  1. Consent

Data users can transfer personal data abroad if the data subject has consented in writing to the transfer.  Such consent needs to be express, voluntary and in writing. The Guidance Note  provides that in order to obtain the data subject’s written consent, the data user should first provide the data subject with the information as to the places their personal data would be  transferred to.  The data subject should also be informed of the purpose of the transfer and the  consequences of providing such consent. Additional guidance is needed regarding, for example,  employees data, and on-line transactions.

  1. Avoidance or mitigation of adverse action

Another exception is that the data user has reasonable grounds for believing that the transfer is  for the avoidance or mitigation of adverse action against the data subject; it is not practicable  to obtain the consent, but if it was practicable, such consent would be given. The Commissioner has  indicated this limb has a narrow application. The onus is on the data users to prove their belief  was reasonable in the relevant factual circumstances.

  1. Statutory exemptions

Data users may transfer personal data outside Hong Kong if the data falls within one of the  exemptions under Part VIII of the PDPO. The relevant exemptions include where personal data is held  only for domestic purposes; to assist in crime prevention; news activities which are in the public  interest; where non-disclosure is likely to cause serious harm to the physical or mental health of the individual; where the transfer is  required by Hong Kong law or in Hong Kong legal proceedings; or in an emergency situation.

  1. Due diligence and all reasonable precautions are taken

Another way to satisfy the cross-border transfer restriction is that the data user has taken all  reasonable precautions and exercised all appropriate due diligence to ensure that the data will  not, in that place, be collected, held, processed, or used in any manner that would be a contravention of the PDPO if it  occurred in Hong Kong.

One of the ways to satisfy this due diligence requirement is to put in place an enforceable contract between the parties to the transfer. The Guidance Note provides some sample clauses to assist data users to prepare these enforceable contracts for the purpose of satisfying this exception.

We expect that the Guidance Note is a precursor to the implementation of section 33 over 2015.  Given the significant impact of section 33 on data transfer activities across various sectors in Hong Kong, particularly given the predominance  of the financial services industry in Hong Kong, a review of current privacy statements and privacy  protection protocols and systems is warranted; and in fact will be necessary to ensure compliance  with section 33, when it becomes operative.