Recent guidance from Hong Kong’s Privacy Commissioner suggests that Hong Kong may be on the verge of implementing major new restrictions on the cross-border transfer of personal data. The recent guidance concerns a law known as the “Personal (Data) Privacy Ordinance” (PDPO) that has been on the books for 20 years but has never been implemented.

Under the PDPO, the cross-border transfer of personal data from Hong Kong is prohibited unless certain exceptions apply, or the data are transferred to countries with similar data protection standards. Despite being on the books for two decades, the PDPO has never been implemented because of concerns over its potentially disruptive impact on international commerce.

Nonetheless, the Hong Kong Privacy Commissioner is now urging the government to finally implement the law. To encourage implementation, the Privacy Commissioner has also issued model clauses for dealing with cross-border data transfers. If implemented, personal data could only be transferred outside of Hong Kong if it meets the following criteria:

  1. The transfer is to a country appearing on the Privacy Commissioner’s “White List” (which has not been published);
  2. The transfer is to a country with similar data protection laws as Hong Kong;
  3. The data subject has provided their specific written consent;
  4. The transfer satisfies a statutory exemption such as preventing crime; or
  5. The data user has taken reasonable precautions to ensure that the data transferred abroad will not be collected, used, or transferred in a way that, if it were in Hong Kong, would violate the PDPO.

Although it remains uncertain whether the PDPO will, in fact, be implemented after all these years, the Privacy Commissioner’s guidance suggests that there is a good chance it will be. If so, the transfer of personal data from Hong Kong may soon become much more complicated.